/*
 *  Copyright (C) 2013-2025 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
 *  Copyright (C) 2007-2013 Sourcefire, Inc.
 *
 *  Authors: Nigel Horne, Török Edvin
 *
 *  Also based on Matt Olney's pdf parser in snort-nrt.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License version 2 as
 *  published by the Free Software Foundation.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 *  MA 02110-1301, USA.
 *
 * TODO: Embedded fonts
 * TODO: Predictor image handling
 */

#if HAVE_CONFIG_H
#include "clamav-config.h"
#endif

#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <ctype.h>
#include <string.h>
#include <fcntl.h>
#include <stdlib.h>
#include <errno.h>
#ifdef HAVE_LIMITS_H
#include <limits.h>
#endif
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#include <zlib.h>

#if HAVE_ICONV
#include <iconv.h>
#endif

#ifdef _WIN32
#include <stdint.h>
#endif

#include "clamav.h"
#include "others.h"
#include "pdf.h"
#include "pdfdecode.h"
#include "scanners.h"
#include "fmap.h"
#include "str.h"
#include "entconv.h"
#include "bytecode.h"
#include "bytecode_api.h"
#include "arc4.h"
#include "rijndael.h"
#include "textnorm.h"
#include "conv.h"
#include "json_api.h"

#ifdef CL_DEBUG
/*#define	SAVE_TMP
 *Save the file being worked on in tmp */
#endif

#define MAX_PDF_OBJECTS (64 * 1024)

struct pdf_struct;

static const char *pdf_nextlinestart(const char *ptr, size_t len);
static const char *pdf_nextobject(const char *ptr, size_t len);

/* PDF statistics callbacks and related */
struct pdfname_action;

static void pdf_export_json(struct pdf_struct *);

static void ASCIIHexDecode_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void ASCII85Decode_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void EmbeddedFile_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void FlateDecode_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void Image_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void LZWDecode_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void RunLengthDecode_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void CCITTFaxDecode_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void JBIG2Decode_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void DCTDecode_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void JPXDecode_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void Crypt_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void Standard_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void Sig_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void JavaScript_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void OpenAction_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void Launch_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void Page_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void Author_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void Creator_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void Producer_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void CreationDate_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void ModificationDate_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void Title_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void Subject_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void Keywords_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void Pages_cb(struct pdf_struct *, struct pdf_obj *, struct pdfname_action *);
static void Colors_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act);
static void RichMedia_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act);
static void AcroForm_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act);
static void XFA_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act);
static void URI_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act);

/* End PDF statistics callbacks and related */

static int pdf_readint(const char *q0, int len, const char *key);
static const char *pdf_getdict(const char *q0, int *len, const char *key);
static char *pdf_readval(const char *q, int len, const char *key);
static char *pdf_readstring(const char *q0, int len, const char *key, unsigned *slen, const char **qend, bool noescape);

static int xrefCheck(const char *xref, const char *eof)
{
    const char *q;

    while (xref < eof && (*xref == ' ' || *xref == '\n' || *xref == '\r'))
        xref++;

    if (xref + 4 >= eof)
        return -1;

    if (!memcmp(xref, "xref", strlen("xref"))) {
        cli_dbgmsg("cli_pdf: found xref\n");
        return 0;
    }

    /* could be xref stream */
    for (q = xref; q + 5 < eof; q++) {
        if (!memcmp(q, "/XRef", strlen("/XRef"))) {
            cli_dbgmsg("cli_pdf: found /XRef\n");
            return 0;
        }
    }

    return -1;
}

/* define this to be noisy about things that we can't parse properly */
#undef NOISY

#ifdef NOISY
#define noisy_msg(pdf, ...) cli_infomsg(pdf->ctx, __VA_ARGS__)
#define noisy_warnmsg(...) cli_warnmsg(__VA_ARGS__)
#else
#define noisy_msg(pdf, ...)
#define noisy_warnmsg(...)
#endif

/**
 * @brief   Searching BACKwards, find the next character that is not a whitespace.
 *
 * @param q         Index to start from (at the end of the search space)
 * @param start     Beginning of the search space.
 *
 * @return const char*  Address of the final non-whitespace character OR the same address as the start.
 */
static const char *findNextNonWSBack(const char *q, const char *start)
{
    while (q > start && (*q == 0 || *q == 9 || *q == 0xa || *q == 0xc || *q == 0xd || *q == 0x20))
        q--;

    return q;
}

/**
 * @brief   Searching FORwards, find the next character that is not a whitespace.
 *
 * @param q         Index to start from (at the end of the search space)
 * @param end       End of the search space.
 *
 * @return const char*  Address of the final non-whitespace character OR the same address as the start.
 */
static const char *findNextNonWS(const char *q, const char *end)
{
    while (q < end && (*q == 0 || *q == 9 || *q == 0xa || *q == 0xc || *q == 0xd || *q == 0x20))
        q++;

    return q;
}

/**
 * @brief   Find bounds of stream.
 *
 * PDF streams are prefixed with "stream" and suffixed with "endstream".
 * Return value indicates success or failure.
 *
 * @param start             start address of search space.
 * @param size              size of search space
 * @param[out] stream       output param, address of start of stream data
 * @param[out] stream_size  output param, size of stream data
 * @param newline_hack      hack to support newlines that are \r\n, and not just \n or just \r.
 *
 * @return cl_error_t       CL_SUCCESS if stream bounds were found.
 * @return cl_error_t       CL_BREAK if stream bounds could not be found.
 * @return cl_error_t       CL_EFORMAT if stream start was found, but not end. (truncated)
 * @return cl_error_t       CL_EARG if invalid args were provided.
 */
static cl_error_t find_stream_bounds(
    const char *start,
    size_t size,
    const char **stream,
    size_t *stream_size,
    int newline_hack)
{
    cl_error_t status = CL_BREAK;

    const char *idx;
    const char *stream_begin;
    const char *endstream_begin;
    size_t bytesleft = size;

    if ((NULL == start) || (0 == bytesleft) || (NULL == stream) || (NULL == stream_size)) {
        status = CL_EARG;
        return status;
    }

    *stream      = NULL;
    *stream_size = 0;

    /* Begin by finding the "stream" string that prefixes stream data. */
    if ((stream_begin = cli_memstr(start, bytesleft, "stream", strlen("stream")))) {
        idx = stream_begin + strlen("stream");
        if ((size_t)(idx - start) >= bytesleft)
            goto done;
        bytesleft -= idx - start;

        /* Skip any new line characters. */
        if (bytesleft >= 2 && idx[0] == '\xd' && idx[1] == '\xa') {
            idx += 2;
            bytesleft -= 2;
            if (newline_hack && (bytesleft > 2) && idx[0] == '\xa') {
                idx++;
                bytesleft--;
            }
        } else if (bytesleft && idx[0] == '\xa') {
            idx++;
            bytesleft--;
        }

        /* Pass back start of the stream data. */
        *stream = idx;

        /* Now find the "endstream" string that suffixes stream data. */
        endstream_begin = cli_memstr(idx, bytesleft, "endstream", strlen("endstream"));
        if (!endstream_begin) {
            /* Couldn't find "endstream", but that's ok --
             * -- we'll just count the rest of the provided buffer. */
            cli_dbgmsg("find_stream_bounds: Truncated stream found!\n");
            endstream_begin = start + size;
            status          = CL_EFORMAT;
        }

        /* Pass back end of the stream data, as offset from start. */
        *stream_size = endstream_begin - *stream;

        if (CL_EFORMAT != status)
            status = CL_SUCCESS;
    }

done:

    return status;
}

/**
 * @brief Find the next *indirect* object in an object stream, adds it to our list of
 *        objects, and increments nobj.
 *
 * Indirect objects in a stream DON'T begin with "obj" and end with "endobj".
 * Instead, they have an objid and an offset from the first object to point you
 * right at them.
 *
 * If found, objstm->current will be updated to the next objid.
 *
 * All objects in an object stream are indirect and thus do not begin or start
 * with "obj" or "endobj".  Instead, the object stream takes the following
 * format.
 *
 *      <dictionary describing stream> objstm content endobjstm
 *
 * where content looks something like the following:
 *
 *      15 0 16 3 17 46 (ab)<</IDS 8 0 R/JavaScript 27 0 R/URLS 9 0 R>><</Names[(Test)28 0 R]>>
 *
 * In the above example, the literal string (ab) is indirect object # 15, and
 * begins at offset 0 of the set of objects.  The next object, # 16 begis at
 * offset 3 is a dictionary.  The final object is also a dictionary, beginning
 * at offset 46.
 *
 * @param pdf   Pdf struct that keeps track of all information found in the PDF.
 * @param objstm
 *
 * @return CL_SUCCESS  if success
 * @return CL_EPARSE   if parsing error
 * @return CL_EMEM     if error allocating memory
 * @return CL_EARG     if invalid arguments
 */
int pdf_findobj_in_objstm(struct pdf_struct *pdf, struct objstm_struct *objstm, struct pdf_obj **obj_found)
{
    cl_error_t status   = CL_EPARSE;
    struct pdf_obj *obj = NULL;
    unsigned long objid = 0, objoff = 0;
    long temp_long         = 0;
    const char *index      = NULL;
    size_t bytes_remaining = 0;

    if (NULL == pdf || NULL == objstm) {
        cli_warnmsg("pdf_findobj_in_objstm: invalid arguments\n");
        return CL_EARG;
    }

    if (pdf->nobjs >= MAX_PDF_OBJECTS) {
        pdf->flags |= 1 << BAD_PDF_TOOMANYOBJS;

        cli_dbgmsg("pdf_findobj_in_objstm: reached object maximum\n");
        status = CL_BREAK;
        goto done;
    }

    *obj_found = NULL;

    index           = objstm->streambuf + objstm->current_pair;
    bytes_remaining = objstm->streambuf_len - objstm->current_pair;

    obj = calloc(sizeof(struct pdf_obj), 1);
    if (!obj) {
        cli_warnmsg("pdf_findobj_in_objstm: out of memory finding objects in stream\n");
        status = CL_EMEM;
        goto done;
    }

    /* This object is in a stream, not in the regular map buffer. */
    obj->objstm = objstm;

    /* objstm->current_pair points directly to the objid */
    if (CL_SUCCESS != cli_strntol_wrap(index, bytes_remaining, 0, 10, &temp_long)) {
        /* Failed to find objid */
        cli_dbgmsg("pdf_findobj_in_objstm: Failed to find objid for obj in object stream\n");
        status = CL_EPARSE;
        goto done;
    } else if (temp_long < 0) {
        cli_dbgmsg("pdf_findobj_in_objstm: Encountered invalid negative objid (%ld).\n", temp_long);
        status = CL_EPARSE;
        goto done;
    }
    objid = (unsigned long)temp_long;

    /* Find the obj offset that appears just after the objid*/
    while ((index < objstm->streambuf + objstm->streambuf_len) && isdigit(*index)) {
        index++;
        bytes_remaining--;
    }
    index           = findNextNonWS(index, objstm->streambuf + objstm->first);
    bytes_remaining = objstm->streambuf + objstm->streambuf_len - index;

    if (CL_SUCCESS != cli_strntol_wrap(index, bytes_remaining, 0, 10, &temp_long)) {
        /* Failed to find obj offset */
        cli_dbgmsg("pdf_findobj_in_objstm: Failed to find obj offset for obj in object stream\n");
        status = CL_EPARSE;
        goto done;
    } else if (temp_long < 0) {
        cli_dbgmsg("pdf_findobj_in_objstm: Encountered invalid negative obj offset (%ld).\n", temp_long);
        status = CL_EPARSE;
        goto done;
    }
    objoff = (unsigned long)temp_long;

    if ((size_t)objstm->first + (size_t)objoff > objstm->streambuf_len) {
        /* Alleged obj location is further than the length of the stream */
        cli_dbgmsg("pdf_findobj_in_objstm: obj offset found is greater than the length of the stream.\n");
        status = CL_EPARSE;
        goto done;
    }

    objstm->current = objstm->first + objoff;

    obj->id    = (objid << 8) | (0 & 0xff);
    obj->start = objstm->current;
    obj->flags = 0;

    objstm->nobjs_found++;

    while ((index < objstm->streambuf + objstm->streambuf_len) && isdigit(*index)) {
        index++;
        bytes_remaining--;
    }
    objstm->current_pair = (uint32_t)(findNextNonWS(index, objstm->streambuf + objstm->first) - objstm->streambuf);

    /* Update current_pair, if there are more */
    if ((objstm->nobjs_found < objstm->n) &&
        (index < objstm->streambuf + objstm->streambuf_len)) {
        unsigned long next_objoff = 0;

        /*
         * While we're at it,
         *   lets record the size as running up to the next object offset.
         *
         * To do so, we will need to parse the next obj pair.
         */
        /* objstm->current_pair points directly to the objid */
        index           = objstm->streambuf + objstm->current_pair;
        bytes_remaining = objstm->streambuf + objstm->streambuf_len - index;

        /* We don't actually care about the object id at this point, so reading the object id is commented out.
           I didn't delete it entirely in case the object id is needed in the future. */
        // if (CL_SUCCESS != cli_strntol_wrap(index, bytes_remaining, 0, 10, &temp_long)) {
        //     /* Failed to find objid for next obj */
        //     cli_dbgmsg("pdf_findobj_in_objstm: Failed to find next objid for obj in object stream though there should be {%u} more.\n", objstm->n - objstm->nobjs_found);
        //     status = CL_EPARSE;
        //     goto done;
        // } else if (temp_long < 0) {
        //     cli_dbgmsg("pdf_findobj_in_objstm: Encountered invalid negative objid (%ld).\n", temp_long);
        //     status = CL_EPARSE;
        //     goto done;
        // }
        // next_objid = (unsigned long)temp_long;

        /* Find the obj offset that appears just after the objid*/
        while ((index < objstm->streambuf + objstm->streambuf_len) && isdigit(*index)) {
            index++;
            bytes_remaining--;
        }
        index           = findNextNonWS(index, objstm->streambuf + objstm->first);
        bytes_remaining = objstm->streambuf + objstm->streambuf_len - index;

        if (CL_SUCCESS != cli_strntol_wrap(index, bytes_remaining, 0, 10, &temp_long)) {
            /* Failed to find obj offset for next obj */
            cli_dbgmsg("pdf_findobj_in_objstm: Failed to find next obj offset for obj in object stream though there should be {%zu} more.\n", objstm->n - objstm->nobjs_found);
            status = CL_EPARSE;
            goto done;
        } else if (temp_long < 0) {
            cli_dbgmsg("pdf_findobj_in_objstm: Encountered invalid negative obj offset (%ld).\n", temp_long);
            status = CL_EPARSE;
            goto done;
        }
        next_objoff = (unsigned long)temp_long;

        if (next_objoff <= objoff) {
            /* Failed to find obj offset for next obj */
            cli_dbgmsg("pdf_findobj_in_objstm: Found next obj offset for obj in object stream but it's less than or equal to the current one!\n");
            status = CL_EPARSE;
            goto done;
        } else if (objstm->first + next_objoff > objstm->streambuf_len) {
            /* Failed to find obj offset for next obj */
            cli_dbgmsg("pdf_findobj_in_objstm: Found next obj offset for obj in object stream but it's further out than the size of the stream!\n");
            status = CL_EPARSE;
            goto done;
        }

        obj->size = next_objoff - objoff;
    } else {
        /*
         * Should be no more objects. We should verify.
         *
         * Either way...
         *   obj->size should be the rest of the buffer.
         */
        if (objstm->nobjs_found < objstm->n) {
            cli_warnmsg("pdf_findobj_in_objstm: Fewer objects found in object stream than expected!\n");
        }

        obj->size = objstm->streambuf_len - obj->start;
    }

    /* Success! Add the object to the list of all objects found. */
    pdf->nobjs++;
    CLI_MAX_REALLOC_OR_GOTO_DONE(pdf->objs, sizeof(struct pdf_obj *) * pdf->nobjs,
                                 cli_warnmsg("pdf_findobj_in_objstm: out of memory finding objects in stream\n"),
                                 status = CL_EMEM);
    pdf->objs[pdf->nobjs - 1] = obj;

    *obj_found = obj;

    status = CL_SUCCESS;

done:
    if (CL_SUCCESS != status) {
        if (NULL != obj) {
            free(obj);
        }
    }
    return status;
}

/**
 * @brief Find the next *indirect* object.
 *
 * Indirect objects located outside of an object stream are prefaced with:
 *      <objid> <genid> obj
 *
 * Each of the above are separated by whitespace of some sort.
 *
 * Indirect objects are postfaced with:
 *      endobj
 *
 * The specification does not say if whitespace is required before or after "endobj".
 *
 * Identify truncated objects.
 *
 * If found, pdf->offset will be updated to just after the "endobj".
 * If truncated, pdf->offset will == pdf->size.
 * If not found, pdf->offset will not be updated.
 *
 * @param pdf   Pdf context struct that keeps track of all information found in the PDF.
 *
 * @return CL_SUCCESS  if success
 * @return CL_BREAK    if no more objects
 * @return CL_EPARSE   if parsing error
 * @return CL_EMEM     if error allocating memory
 */
cl_error_t pdf_findobj(struct pdf_struct *pdf)
{
    cl_error_t status = CL_EPARSE;
    const char *start, *idx, *genid_search_index, *objid_search_index;

    const char *obj_begin = NULL, *obj_end = NULL;
    const char *endobj_begin = NULL, *endobj_end = NULL;

    struct pdf_obj *obj = NULL;
    size_t bytesleft;
    unsigned long genid, objid;
    long temp_long;

    if (pdf->nobjs >= MAX_PDF_OBJECTS) {
        pdf->flags |= 1 << BAD_PDF_TOOMANYOBJS;

        cli_dbgmsg("pdf_findobj: reached object maximum\n");
        status = CL_BREAK;
        goto done;
    }
    pdf->nobjs++;
    CLI_MAX_REALLOC_OR_GOTO_DONE(pdf->objs, sizeof(struct pdf_obj *) * pdf->nobjs, status = CL_EMEM);

    obj = malloc(sizeof(struct pdf_obj));
    if (!obj) {
        status = CL_EMEM;
        goto done;
    }
    pdf->objs[pdf->nobjs - 1] = obj;

    memset(obj, 0, sizeof(*obj));

    start     = pdf->map + pdf->offset;
    bytesleft = pdf->size - pdf->offset;

    /*
     * Start by searching for "obj"
     */
    idx = start + 1;
    while (bytesleft > 1 + strlen("obj")) {
        /* `- 1` accounts for size of white space before obj */
        idx = cli_memstr(idx, bytesleft - 1, "obj", strlen("obj"));
        if (NULL == idx) {
            status = CL_BREAK;
            goto done; /* No more objs. */
        }

        /* verify that the word has a whitespace before it, and is not the end of
         * a previous word */
        idx--;
        bytesleft = (pdf->size - pdf->offset) - (size_t)(idx - start);

        if (*idx != 0 && *idx != 9 && *idx != 0xa && *idx != 0xc && *idx != 0xd && *idx != 0x20) {
            /* This instance of "obj" appears to be part of a longer string.
             * Skip it, and keep searching for an object. */
            idx += 1 + strlen("obj");
            bytesleft -= 1 + strlen("obj");
            continue;
        }

        /* Found the beginning of the word */
        obj_begin = idx;
        obj_end   = idx + 1 + strlen("obj");

        break;
    }

    if ((NULL == obj_begin) || (NULL == obj_end)) {
        status = CL_BREAK;
        goto done; /* No more objs. */
    }

    /* Find the generation id (genid) that appears before the "obj" */
    genid_search_index = findNextNonWSBack(obj_begin - 1, start);
    while (genid_search_index > start && isdigit(*genid_search_index))
        genid_search_index--;

    if (CL_SUCCESS != cli_strntol_wrap(genid_search_index, (size_t)((obj_begin)-genid_search_index), 0, 10, &temp_long)) {
        cli_dbgmsg("pdf_findobj: Failed to parse object genid (# objects found: %u)\n", pdf->nobjs);
        /* Failed to parse, probably not a real object.  Skip past the "obj" thing, and continue. */
        pdf->offset = obj_end - pdf->map;
        status      = CL_EPARSE;
        goto done;
    } else if (temp_long < 0) {
        cli_dbgmsg("pdf_findobj: Encountered invalid negative obj genid (%ld).\n", temp_long);
        pdf->offset = obj_end - pdf->map;
        status      = CL_EPARSE;
        goto done;
    }
    genid = (unsigned long)temp_long;

    /* Find the object id (objid) that appears before the genid */
    objid_search_index = findNextNonWSBack(genid_search_index - 1, start);
    while (objid_search_index > start && isdigit(*objid_search_index))
        objid_search_index--;

    if (CL_SUCCESS != cli_strntol_wrap(objid_search_index, (size_t)((genid_search_index)-objid_search_index), 0, 10, &temp_long)) {
        /*
         * Edge case:
         *
         * PDFs with multiple revisions will have %%EOF before the end of the file,
         * followed by the next revision of the PDF, which will probably be an immediate objid.
         *
         * Example:
         *   %%EOF1 1 obj <blah> endobj
         *
         * If this is the case, we can detect it and continue parsing after the %%EOF.
         */
        if (objid_search_index - strlen("%%EO") > start) {
            const char *lastfile = objid_search_index - strlen("%%EO");
            if (0 != strncmp(lastfile, "%%EOF", 5)) {
                /* Nope, wasn't %%EOF */
                cli_dbgmsg("pdf_findobj: Failed to parse object objid (# objects found: %u)\n", pdf->nobjs);
                /* Skip past the "obj" thing, and continue. */
                pdf->offset = obj_end - pdf->map;
                status      = CL_EPARSE;
                goto done;
            }
            /* Yup, Looks, like the file continues after %%EOF.
             * Probably another revision.  Keep parsing... */
            objid_search_index++;
            cli_dbgmsg("pdf_findobj: %%%%EOF detected before end of file, at offset: %zu\n", (size_t)(objid_search_index - pdf->map));
        } else {
            /* Failed parsing at the very beginning */
            cli_dbgmsg("pdf_findobj: Failed to parse object objid (# objects found: %u)\n", pdf->nobjs);
            /* Probably not a real object.  Skip past the "obj" thing, and continue. */
            pdf->offset = obj_end - pdf->map;
            status      = CL_EPARSE;
            goto done;
        }
        /* Try again, with offset slightly adjusted */
        if (CL_SUCCESS != cli_strntol_wrap(objid_search_index, (size_t)((genid_search_index - 1) - objid_search_index), 0, 10, &temp_long)) {
            cli_dbgmsg("pdf_findobj: Failed to parse object objid (# objects found: %u)\n", pdf->nobjs);
            /* Still failed... Probably not a real object.  Skip past the "obj" thing, and continue. */
            pdf->offset = obj_end - pdf->map;
            status      = CL_EPARSE;
            goto done;
        } else if (temp_long < 0) {
            cli_dbgmsg("pdf_findobj: Encountered invalid negative objid (%ld).\n", temp_long);
            pdf->offset = obj_end - pdf->map;
            status      = CL_EPARSE;
            goto done;
        }

        cli_dbgmsg("pdf_findobj: There appears to be an additional revision. Continuing to parse...\n");
    } else if (temp_long < 0) {
        cli_dbgmsg("pdf_findobj: Encountered invalid negative objid (%ld).\n", temp_long);
        pdf->offset = obj_end - pdf->map;
        status      = CL_EPARSE;
        goto done;
    }
    objid = (unsigned long)temp_long;

    obj->id    = (objid << 8) | (genid & 0xff);
    obj->start = obj_end - pdf->map; /* obj start begins just after the "obj" string */
    obj->flags = 0;

    /*
     * We now have the objid, genid, and object start.
     * Find the object end ("endobj").
     */
    /* `- 1` accounts for size of white space before obj */
    endobj_begin = cli_memstr(obj_end, pdf->map + pdf->size - obj_end, "endobj", strlen("endobj"));
    if (NULL == endobj_begin) {
        /* No end to object.
         * PDF appears to be malformed or truncated.
         * Will record the object size as going ot the end of the file.
         * Will record that the object is truncated.
         * Will position the pdf offset to the end of the PDF.
         * The next iteration of this function will find no more objects. */
        obj->flags |= 1 << OBJ_TRUNCATED;
        obj->size   = (pdf->map + pdf->size) - obj_end;
        pdf->offset = pdf->size;

        /* Truncated "object" found! */
        status = CL_SUCCESS;
        goto done;
    }
    endobj_end = endobj_begin + strlen("endobj");

    /* Size of the object goes from "obj" <-> "endobject". */
    obj->size   = endobj_begin - obj_end;
    pdf->offset = endobj_end - pdf->map;

    /*
     * Object found!
     */
    status = CL_SUCCESS; /* truncated file, no end to obj. */

done:
    if (status == CL_SUCCESS) {
        cli_dbgmsg("pdf_findobj: found %d %d obj @%lld, size: %zu bytes.\n", obj->id >> 8, obj->id & 0xff, (long long)(obj->start + pdf->startoff), obj->size);
    } else {
        /* Remove the unused obj reference from our list of objects found */
        /* No need to realloc pdf->objs back down.  It won't leak. */
        pdf->objs[pdf->nobjs - 1] = NULL;
        pdf->nobjs--;

        /* Free up the obj struct. */
        if (NULL != obj)
            free(obj);

        if (status == CL_BREAK) {
            cli_dbgmsg("pdf_findobj: No more objects (# objects found: %u)\n", pdf->nobjs);
        } else if (status == CL_EMEM) {
            cli_warnmsg("pdf_findobj: Error allocating memory (# objects found: %u)\n", pdf->nobjs);
        } else {
            cli_dbgmsg("pdf_findobj: Unexpected status code %d.\n", status);
        }
    }

    return status;
}

static size_t filter_writen(struct pdf_struct *pdf, struct pdf_obj *obj, int fout, const char *buf, size_t len, size_t *sum)
{
    UNUSEDPARAM(obj);

    if (cli_checklimits("pdf", pdf->ctx, (uint64_t)*sum, 0, 0))
        return len;

    *sum += len;

    return cli_writen(fout, buf, len);
}

void pdfobj_flag(struct pdf_struct *pdf, struct pdf_obj *obj, enum pdf_flag flag)
{
    const char *s = "";
    pdf->flags |= 1 << flag;
    if (!cli_debug_flag)
        return;

    switch (flag) {
        case UNTERMINATED_OBJ_DICT:
            s = "dictionary not terminated";
            break;
        case ESCAPED_COMMON_PDFNAME:
            /* like /JavaScript */
            s = "escaped common pdfname";
            break;
        case BAD_STREAM_FILTERS:
            s = "duplicate stream filters";
            break;
        case BAD_PDF_VERSION:
            s = "bad pdf version";
            break;
        case BAD_PDF_HEADERPOS:
            s = "bad pdf header position";
            break;
        case BAD_PDF_TRAILER:
            s = "bad pdf trailer";
            break;
        case BAD_PDF_TOOMANYOBJS:
            s = "too many pdf objs";
            break;
        case BAD_FLATE:
            s = "bad deflate stream";
            break;
        case BAD_FLATESTART:
            s = "bad deflate stream start";
            break;
        case BAD_STREAMSTART:
            s = "bad stream start";
            break;
        case UNKNOWN_FILTER:
            s = "unknown filter used";
            break;
        case BAD_ASCIIDECODE:
            s = "bad ASCII decode";
            break;
        case HEX_JAVASCRIPT:
            s = "hex javascript";
            break;
        case BAD_INDOBJ:
            s = "referencing nonexistent obj";
            break;
        case HAS_OPENACTION:
            s = "has /OpenAction";
            break;
        case HAS_LAUNCHACTION:
            s = "has /LaunchAction";
            break;
        case BAD_STREAMLEN:
            s = "bad /Length, too small";
            break;
        case ENCRYPTED_PDF:
            s = "PDF is encrypted";
            break;
        case LINEARIZED_PDF:
            s = "linearized PDF";
            break;
        case MANY_FILTERS:
            s = "more than 2 filters per obj";
            break;
        case DECRYPTABLE_PDF:
            s = "decryptable PDF";
            break;
    }

    cli_dbgmsg("pdfobj_flag: %s flagged in object %u %u\n", s, obj->id >> 8, obj->id & 0xff);
}

struct pdf_obj *find_obj(struct pdf_struct *pdf, struct pdf_obj *obj, uint32_t objid)
{
    uint32_t j;
    uint32_t i;

    /* search starting at previous obj (if exists) */
    for (i = 0; i < pdf->nobjs; i++) {
        if (pdf->objs[i] == obj)
            break;
    }

    for (j = i; j < pdf->nobjs; j++) {
        obj = pdf->objs[j];
        if (obj->id == objid)
            return obj;
    }

    /* restart search from beginning if not found */
    for (j = 0; j < i; j++) {
        obj = pdf->objs[j];
        if (obj->id == objid)
            return obj;
    }

    return NULL;
}

/**
 * @brief   Find and interpret the "/Length" dictionary key value.
 *
 * The value may be:
 *  - a direct object (i.e. just a number)
 *  - an indirect object, where the value is somewhere else in the document and we have to look it up.
 *    indirect objects are referenced using an object id (objid), generation id (genid) genid, and the letter 'R'.
 *
 * Example dictionary with a single key "/Length" that relies direct object for the value.
 *
 *      1 0 obj
 *          << /Length 534
 *              /Filter [ /ASCII85Decode /LZWDecode ]
 *          >>
 *          stream
 *              J..)6T`?p&<!J9%_[umg"B7/Z7KNXbN'S+,*Q/&"OLT'FLIDK#!n`$"<Atdi`\Vn%b%)&'cA*VnK\CJY(sF>c!Jnl@
 *              RM]WM;jjH6Gnc75idkL5]+cPZKEBPWdR>FF(kj1_R%W_d&/jS!;iuad7h?[L-F$+]]0A3Ck*$I0KZ?;<)CJtqi65Xb
 *              Vc3\n5ua:Q/=0$W<#N3U;H,MQKqfg1?:lUpR;6oN[C2E4ZNr8Udn.'p+?#X+1>0Kuk$bCDF/(3fL5]Oq)^kJZ!C2H1
 *              'TO]Rl?Q:&'<5&iP!$Rq;BXRecDN[IJB`,)o8XJOSJ9sDS]hQ;Rj@!ND)bD_q&C\g:inYC%)&u#:u,M6Bm%IY!Kb1+
 *              ":aAa'S`ViJglLb8<W9k6Yl\\0McJQkDeLWdPN?9A'jX*al>iG1p&i;eVoK&juJHs9%;Xomop"5KatWRT"JQ#qYuL,
 *              JD?M$0QP)lKn06l1apKDC@\qJ4B!!(5m+j.7F790m(Vj88l8Q:_CZ(Gm1%X\N1&u!FKHMB~>
 *          endstream
 *      endobj
 *
 * Example dictionary with a single key "/Length" that relies on an indirect object for the value.
 *
 *      7 0 obj
 *          << /Length 8 0 R >> % An indirect reference to object 8, with generation id 0.
 *          stream
 *              BT
 *                  /F1 12 Tf
 *                   72 712 Td
 *                  ( A stream with an indirect length ) Tj
 *              ET
 *          endstream
 *      endobj
 *
 *      8 0 obj
 *          77 % The length of the preceding stream
 *      endobj
 *
 * @param pdf       Pdf context structure.
 * @param obj       Pdf object context structure.
 * @param start     Pointer start of the dictionary string.
 * @param len       Remaining length of the dictioary string in bytes.
 * @return size_t   Unsigned integer value of the "/Length" key
 */
static size_t find_length(struct pdf_struct *pdf, struct pdf_obj *obj, const char *dict_start, size_t dict_len)
{
    size_t length          = 0;
    const char *obj_start  = dict_start;
    size_t bytes_remaining = dict_len;
    long temp_long         = 0;
    const char *index;

    if (bytes_remaining < 8) {
        return 0;
    }

    /*
     * Find the "/Length" dictionary key
     */
    index = cli_memstr(obj_start, bytes_remaining, "/Length", 7);
    if (!index)
        return 0;

    bytes_remaining -= index - obj_start;

    if (bytes_remaining < 1) {
        return 0;
    }

    /* Step the index into the "/Length" string. */
    index++;
    bytes_remaining--;

    /* Find the start of the next direct or indirect object.
     * pdf_nextobject() assumes we started searching from within a previous object */
    obj_start = pdf_nextobject(index, bytes_remaining);
    if (!obj_start)
        return 0;

    if (bytes_remaining < (size_t)(obj_start - index)) {
        return 0;
    }
    bytes_remaining -= obj_start - index;
    index = obj_start;

    /* Read the value.  This could either be the direct length value,
       or the object id of the indirect object that has the length */
    if (CL_SUCCESS != cli_strntol_wrap(index, bytes_remaining, 0, 10, &temp_long)) {
        cli_dbgmsg("find_length: failed to parse object length or objid\n");
        return 0;
    } else if (temp_long < 0) {
        cli_dbgmsg("find_length: Encountered invalid negative object length or objid (%ld).\n", temp_long);
        return 0;
    }
    length = (size_t)temp_long; /* length or maybe object id */

    /*
     * Keep parsing, skipping past the first integer that might have been what we wanted.
     * If it's an indirect object, we'll find a Generation ID followed by the letter 'R'
     * I.e. something like " 0 R"
     */
    while ((bytes_remaining > 0) && isdigit(*index)) {
        index++;
        bytes_remaining--;
    }

    if ((bytes_remaining > 0) && (*index == ' ')) {
        unsigned long genid;

        index++;
        bytes_remaining--;

        if (CL_SUCCESS != cli_strntol_wrap(index, bytes_remaining, 0, 10, &temp_long)) {
            cli_dbgmsg("find_length: failed to parse object genid\n");
            return 0;
        } else if (temp_long < 0) {
            cli_dbgmsg("find_length: Encountered invalid negative object genid (%ld).\n", temp_long);
            return 0;
        }
        genid = (unsigned long)temp_long;

        while ((bytes_remaining > 0) && isdigit(*index)) {
            index++;
            bytes_remaining--;
        }

        if (bytes_remaining < 2) {
            return 0;
        }

        if (index[0] == ' ' && index[1] == 'R') {
            /*
             * Ok so we found a genid and that 'R'.  Which means that first value
             * was actually the objid.
             * We can look up the indirect object using this information.
             */
            unsigned long objid            = length;
            const char *indirect_obj_start = NULL;

            cli_dbgmsg("find_length: length is in indirect object %lu %lu\n", objid, genid);

            obj = find_obj(pdf, obj, (length << 8) | (genid & 0xff));
            if (!obj) {
                cli_dbgmsg("find_length: indirect object not found\n");
                return 0;
            }

            if (NULL == obj->objstm) {
                indirect_obj_start = (const char *)(obj->start + pdf->map);

                if (!CLI_ISCONTAINED(pdf->map, pdf->size, indirect_obj_start, obj->size)) {
                    cli_dbgmsg("find_length: indirect object found, but not contained in PDF\n");
                    return 0;
                }

                bytes_remaining = pdf->size - obj->start;

            } else {
                indirect_obj_start = (const char *)(obj->start + obj->objstm->streambuf);

                if (!CLI_ISCONTAINED(obj->objstm->streambuf, obj->objstm->streambuf_len, indirect_obj_start, obj->size)) {
                    cli_dbgmsg("find_length: indirect object found, but not contained in PDF streambuf\n");
                    return 0;
                }

                bytes_remaining = obj->objstm->streambuf_len - obj->start;
            }

            /* Ok so we found the indirect object, lets read the value. */
            index = pdf_nextobject(indirect_obj_start, bytes_remaining);
            if (!index) {
                cli_dbgmsg("find_length: next object not found\n");
                return 0;
            }

            if (bytes_remaining < (size_t)(index - indirect_obj_start)) {
                return 0;
            }
            bytes_remaining -= index - indirect_obj_start;

            /* Found the value, so lets parse it as a long, but prohibit negative lengths. */
            if (CL_SUCCESS != cli_strntol_wrap(index, bytes_remaining, 0, 10, &temp_long)) {
                cli_dbgmsg("find_length: failed to parse object length from indirect object\n");
                return 0;
            } else if (temp_long < 0) {
                cli_dbgmsg("find_length: Encountered invalid negative obj length (%ld).\n", temp_long);
                return 0;
            }
            length = (size_t)temp_long;
        }
    }

    /* limit length */
    if ((size_t)(obj_start - pdf->map) + length + 5 > pdf->size)
        length = pdf->size - (obj_start - pdf->map) - 5;

    return length;
}

#define DUMP_MASK ((1 << OBJ_CONTENTS) | (1 << OBJ_FILTER_FLATE) | (1 << OBJ_FILTER_DCT) | (1 << OBJ_FILTER_AH) | (1 << OBJ_FILTER_A85) | (1 << OBJ_EMBEDDED_FILE) | (1 << OBJ_JAVASCRIPT) | (1 << OBJ_OPENACTION) | (1 << OBJ_LAUNCHACTION))

static int run_pdf_hooks(struct pdf_struct *pdf, enum pdf_phase phase, int fd, const char *filepath)
{
    int ret;
    struct cli_bc_ctx *bc_ctx;
    cli_ctx *ctx = NULL;
    fmap_t *map;

    if (NULL == pdf)
        return CL_EARG;

    ctx = pdf->ctx;

    bc_ctx = cli_bytecode_context_alloc();
    if (!bc_ctx) {
        cli_errmsg("run_pdf_hooks: can't allocate memory for bc_ctx\n");
        return CL_EMEM;
    }

    map = ctx->fmap;
    if (fd != -1) {
        /* The fmap in this bytecode context is an extracted pdf object. */
        map = fmap_new(fd, 0, 0, NULL, filepath);
        if (!map) {
            cli_dbgmsg("run_pdf_hooks: can't mmap pdf extracted obj\n");
            map = ctx->fmap;
            fd  = -1;
        }
    }

    cli_bytecode_context_setpdf(bc_ctx, phase, pdf->nobjs, pdf->objs, &pdf->flags, pdf->size, pdf->startoff);
    cli_bytecode_context_setctx(bc_ctx, ctx);
    ret = cli_bytecode_runhook(ctx, ctx->engine, bc_ctx, BC_PDF, map);
    cli_bytecode_context_destroy(bc_ctx);

    if (fd != -1)
        fmap_free(map);

    return ret;
}

static void dbg_printhex(const char *msg, const char *hex, unsigned len);

static void aes_256cbc_decrypt(const unsigned char *in, size_t *length, unsigned char *q, char *key, unsigned key_n, int has_iv)
{
    uint32_t rk[RKLENGTH(256)];
    unsigned char iv[16];
    size_t len = 0;
    unsigned char pad, i;
    int nrounds;

    if (in == NULL || length == NULL) {
        cli_dbgmsg("aes_256cbc_decrypt: invalid NULL parameters!\n");
        noisy_warnmsg("aes_256cbc_decrypt: invalid NULL parameters!\n");
        return;
    }

    len = *length;

    cli_dbgmsg("aes_256cbc_decrypt: key length: %d, data length: %zu\n", key_n, *length);
    if (!(key_n == 16 || key_n == 24 || key_n == 32)) {
        cli_dbgmsg("aes_256cbc_decrypt: invalid key length: %u!\n", key_n * 8);
        noisy_warnmsg("aes_256cbc_decrypt: invalid key length: %u!\n", key_n * 8);
        return;
    }

    if (len < 32) {
        cli_dbgmsg("aes_256cbc_decrypt: len is <32: %zu\n", len);
        noisy_warnmsg("aes_256cbc_decrypt: len is <32: %zu\n", len);
        return;
    }

    if (has_iv) {
        memcpy(iv, in, 16);
        in += 16;
        len -= 16;
    } else {
        memset(iv, 0, sizeof(iv));
    }

    cli_dbgmsg("aes_256cbc_decrypt: Calling rijndaelSetupDecrypt\n");
    nrounds = rijndaelSetupDecrypt(rk, (const unsigned char *)key, key_n * 8);
    if (!nrounds) {
        cli_dbgmsg("aes_256cbc_decrypt: nrounds = 0\n");
        return;
    }
    cli_dbgmsg("aes_256cbc_decrypt: Beginning rijndaelDecrypt\n");

    while (len >= 16) {
        unsigned i;

        rijndaelDecrypt(rk, nrounds, in, q);
        for (i = 0; i < 16; i++)
            q[i] ^= iv[i];

        memcpy(iv, in, 16);

        q += 16;
        in += 16;
        len -= 16;
    }
    if (has_iv) {
        len += 16;
        pad = q[-1];

        if (pad > 0x10) {
            cli_dbgmsg("aes_256cbc_decrypt: bad pad: %x (extra len: %zu)\n", pad, len - 16);
            noisy_warnmsg("aes_256cbc_decrypt: bad pad: %x (extra len: %zu)\n", pad, len - 16);
            *length -= len;
            return;
        }

        q -= pad;
        for (i = 1; i < pad; i++) {
            if (q[i] != pad) {
                cli_dbgmsg("aes_256cbc_decrypt: bad pad: %x != %x\n", q[i], pad);
                noisy_warnmsg("aes_256cbc_decrypt: bad pad: %x != %x\n", q[i], pad);
                *length -= len;

                return;
            }
        }

        len += pad;
    }

    *length -= len;

    cli_dbgmsg("aes_256cbc_decrypt: length is %zu\n", *length);
}

static void aes_128cbc_encrypt(const unsigned char *in, size_t in_length, unsigned char *out, size_t *out_length, const unsigned char *key, size_t key_n, const unsigned char *iv)
{
    uint32_t rk[RKLENGTH(128)];
    unsigned char real_iv[16] = {0};
    int nrounds;
    uint8_t i = 0;

    cli_dbgmsg("cli_pdf: aes_128cbc_encrypt: key length: %zu, data length: %zu\n", key_n, in_length);
    if (key_n > 16) {
        cli_dbgmsg("cli_pdf: aes_128cbc_encrypt: key length is %zu!\n", key_n * 8);
        return;
    }

    if (in_length < 16) {
        cli_dbgmsg("cli_pdf: aes_128cbc_encrypt: in_length is <16: %zu\n", in_length);
        noisy_warnmsg("cli_pdf: aes_128cbc_encrypt: in_length is <16: %zu\n", in_length);
        return;
    }

    cli_dbgmsg("aes_128cbc_encrypt: Calling rijndaelSetupEncrypt\n");
    nrounds = rijndaelSetupEncrypt(rk, key, key_n * 8);
    if (!nrounds) {
        cli_dbgmsg("cli_pdf: aes_128cbc_encrypt: nrounds = 0\n");
        return;
    }
    cli_dbgmsg("aes_128cbc_encrypt: Beginning rijndaelEncrypt\n");

    if (iv)
        memcpy(real_iv, iv, sizeof(real_iv));

    *out_length = 0;
    while (in_length >= 16) {
        for (i = 0; i < 16; i++)
            real_iv[i] ^= in[i];

        rijndaelEncrypt(rk, nrounds, real_iv, real_iv);

        for (i = 0; i < 16; i++)
            out[i] = real_iv[i];

        out += 16;
        *out_length += 16;
        in += 16;
        in_length -= 16;
    }

    cli_dbgmsg("cli_pdf: aes_128cbc_encrypt: length is %zu\n", *out_length);
}

char *decrypt_any(struct pdf_struct *pdf, uint32_t id, const char *in, size_t *length, enum enc_method enc_method)
{
    unsigned char *key, *q, result[16];
    unsigned n;
    struct arc4_state arc4;

    if (!length || !*length || !in) {
        noisy_warnmsg("decrypt_any: decrypt failed for obj %u %u:  Invalid arguments.\n", id >> 8, id & 0xff);
        return NULL;
    }

    if (NULL == pdf->key || 0 == pdf->keylen) {
        noisy_warnmsg("decrypt_any: decrypt failed for obj %u %u:  PDF key never identified.\n", id >> 8, id & 0xff);
        return NULL;
    }

    n = pdf->keylen + 5;
    if (enc_method == ENC_AESV2)
        n += 4;

    key = cli_max_malloc(n);
    if (!key) {
        noisy_warnmsg("decrypt_any: malloc failed\n");
        return NULL;
    }

    memcpy(key, pdf->key, pdf->keylen);
    q    = key + pdf->keylen;
    *q++ = id >> 8;
    *q++ = id >> 16;
    *q++ = id >> 24;
    *q++ = id;
    *q++ = 0;
    if (enc_method == ENC_AESV2)
        memcpy(q, "sAlT", 4);

    cl_hash_data("md5", key, n, result, NULL);
    free(key);

    n = pdf->keylen + 5;
    if (n > 16)
        n = 16;

    q = cli_max_calloc(*length, sizeof(char));
    if (!q) {
        noisy_warnmsg("decrypt_any: malloc failed\n");
        return NULL;
    }

    switch (enc_method) {
        case ENC_V2:
            cli_dbgmsg("cli_pdf: enc is v2\n");
            memcpy(q, in, *length);
            if (false == arc4_init(&arc4, result, n)) {
                noisy_warnmsg("decrypt_any: failed to init arc4\n");
                free(q);
                return NULL;
            }
            arc4_apply(&arc4, q, (unsigned)*length); /* TODO: may truncate for very large lengths */

            noisy_msg(pdf, "decrypt_any: decrypted ARC4 data\n");

            break;
        case ENC_AESV2:
            cli_dbgmsg("cli_pdf: enc is aesv2\n");
            aes_256cbc_decrypt((const unsigned char *)in, length, q, (char *)result, n, 1);

            noisy_msg(pdf, "decrypt_any: decrypted AES(v2) data\n");

            break;
        case ENC_AESV3:
            cli_dbgmsg("decrypt_any: enc is aesv3\n");

            aes_256cbc_decrypt((const unsigned char *)in, length, q, pdf->key, pdf->keylen, 1);

            noisy_msg(pdf, "decrypted AES(v3) data\n");

            break;
        case ENC_IDENTITY:
            cli_dbgmsg("decrypt_any: enc is identity\n");
            memcpy(q, in, *length);

            noisy_msg(pdf, "decrypt_any: identity encryption\n");

            break;
        case ENC_NONE:
            cli_dbgmsg("decrypt_any: enc is none\n");

            noisy_msg(pdf, "encryption is none\n");

            free(q);
            return NULL;
        case ENC_UNKNOWN:
            cli_dbgmsg("decrypt_any: enc is unknown\n");
            free(q);

            noisy_warnmsg("decrypt_any: unknown encryption method for obj %u %u\n",
                          id >> 8, id & 0xff);

            return NULL;
    }

    return (char *)q;
}

enum enc_method get_enc_method(struct pdf_struct *pdf, struct pdf_obj *obj)
{
    if (obj->flags & (1 << OBJ_EMBEDDED_FILE))
        return pdf->enc_method_embeddedfile;

    if (obj->flags & (1 << OBJ_STREAM))
        return pdf->enc_method_stream;

    return pdf->enc_method_string;
}

enum cstate {
    CSTATE_NONE,
    CSTATE_TJ,
    CSTATE_TJ_PAROPEN
};

static void process(struct text_norm_state *s, enum cstate *st, const char *buf, size_t length, int fout)
{
    do {
        switch (*st) {
            case CSTATE_NONE:
                if (*buf == '[') {
                    *st = CSTATE_TJ;
                } else {
                    const char *nl = memchr(buf, '\n', length);
                    if (!nl)
                        return;

                    if ((size_t)(nl - buf) > length) {
                        length = 0;
                    } else {
                        length -= nl - buf;
                    }
                    buf = nl;
                }

                break;
            case CSTATE_TJ:
                if (*buf == '(')
                    *st = CSTATE_TJ_PAROPEN;

                break;
            case CSTATE_TJ_PAROPEN:
                if (*buf == ')') {
                    *st = CSTATE_TJ;
                } else {
                    if (text_normalize_buffer(s, (const unsigned char *)buf, 1) != 1) {
                        cli_writen(fout, s->out, s->out_pos);
                        text_normalize_reset(s);
                    }
                }

                break;
        }

        buf++;
        if (length > 0)
            length--;
    } while (length > 0);
}

static int pdf_scan_contents(int fd, struct pdf_struct *pdf, struct pdf_obj *obj)
{
    struct text_norm_state s;
    char fullname[1024];
    char outbuff[BUFSIZ];
    char inbuf[BUFSIZ];
    int fout;
    size_t n;
    cl_error_t rc;
    enum cstate st = CSTATE_NONE;

    snprintf(fullname, sizeof(fullname), "%s" PATHSEP "pdf obj %d %d contents", pdf->dir, obj->id >> 8, obj->id & 0xff);
    fout = open(fullname, O_RDWR | O_CREAT | O_EXCL | O_TRUNC | O_BINARY, 0600);
    if (fout < 0) {
        char err[128];

        cli_errmsg("pdf_scan_contents: can't create temporary file %s: %s\n", fullname, cli_strerror(errno, err, sizeof(err)));
        return CL_ETMPFILE;
    }

    text_normalize_init(&s, (unsigned char *)outbuff, sizeof(outbuff));
    while (1) {
        n = cli_readn(fd, inbuf, sizeof(inbuf));
        if ((n == 0) || (n == (size_t)-1))
            break;

        process(&s, &st, inbuf, n, fout);
    }

    cli_writen(fout, s.out, s.out_pos);

    lseek(fout, 0, SEEK_SET);
    rc = cli_magic_scan_desc(fout, fullname, pdf->ctx, NULL, LAYER_ATTRIBUTES_NONE);
    close(fout);

    if (!pdf->ctx->engine->keeptmp || (s.out_pos == 0))
        if (cli_unlink(fullname) && rc != CL_VIRUS)
            rc = CL_EUNLINK;

    return rc;
}

cl_error_t pdf_extract_obj(struct pdf_struct *pdf, struct pdf_obj *obj, uint32_t flags)
{
    cl_error_t status = CL_SUCCESS;
    cl_error_t ret;

    char fullname[PATH_MAX + 1];
    bool extracted_an_object = false;
    int fout                 = -1;
    size_t sum               = 0;
    bool dump                = true;
    struct pdf_dict *dparams = NULL;

    cli_dbgmsg("pdf_extract_obj: obj %u %u\n", obj->id >> 8, obj->id & 0xff);

    if (PDF_OBJECT_RECURSION_LIMIT < pdf->parse_recursion_depth) {
        cli_dbgmsg("pdf_extract_obj: Recursion limit reached.\n");
        status = CL_SUCCESS;
        goto done;
    }

    if (obj->extracted) {
        // Should not attempt to extract the same object more than once.
        status = CL_SUCCESS;
        goto done;
    }
    // We're not done yet, but this is enough to say we've tried.
    // Trying again won't help any.
    obj->extracted = true;

    if (obj->objstm) {
        cli_dbgmsg("pdf_extract_obj: extracting obj found in objstm.\n");
        if (obj->objstm->streambuf == NULL) {
            cli_warnmsg("pdf_extract_obj: object in object stream has null stream buffer!\n");
            status = CL_EFORMAT;
            goto done;
        }
    }

    /* Check to see if this is a URI referenced from a prior URI object */
    if (obj->flags & (1 << OBJ_URI)) {
        URI_cb(pdf, obj, NULL);
        status = CL_SUCCESS;
        goto done;
    }

    /* TODO: call bytecode hook here, allow override dumpability */
    if ((!(obj->flags & (1 << OBJ_STREAM)) || (obj->flags & (1 << OBJ_HASFILTERS))) && !(obj->flags & DUMP_MASK)) {
        /* don't dump all streams */
        dump = false;
    }

    if ((obj->flags & (1 << OBJ_IMAGE)) && !(obj->flags & (1 << OBJ_FILTER_DCT))) {
        /* don't dump / scan non-JPG images */
        dump = false;
    }

    if (obj->flags & (1 << OBJ_FORCEDUMP)) {
        /* bytecode can force dump by setting this flag */
        dump = true;
    }

    if (!dump) {
        status = CL_SUCCESS;
        goto done;
    }

    cli_dbgmsg("pdf_extract_obj: dumping obj %u %u\n", obj->id >> 8, obj->id & 0xff);

    snprintf(fullname, sizeof(fullname), "%s" PATHSEP "pdf obj %d %d", pdf->dir, obj->id >> 8, obj->id & 0xff);
    fout = open(fullname, O_RDWR | O_CREAT | O_EXCL | O_TRUNC | O_BINARY, 0600);
    if (fout < 0) {
        char err[128];
        cli_errmsg("pdf_extract_obj: can't create temporary file %s: %s\n", fullname, cli_strerror(errno, err, sizeof(err)));
        status = CL_ETMPFILE;
        goto done;
    }

    extracted_an_object = true;

    if (!(flags & PDF_EXTRACT_OBJ_SCAN)) {
        /*
         * When PDF_EXTRACT_OBJ_SCAN is not set, this function is used to extract the object to a temp file
         * and so we need to save off the path in obj->path for the caller to use.
         */
        if (NULL != obj->path) {
            obj->path = strdup(fullname);
        }
    }

    if ((NULL == obj->objstm) &&
        (obj->flags & (1 << OBJ_STREAM))) {
        /*
         * Object contains a stream. Parse this now.
         */
        cli_dbgmsg("pdf_extract_obj: parsing a stream in obj %u %u\n", obj->id >> 8, obj->id & 0xff);

        const char *start = pdf->map + obj->start;

        size_t length;
        size_t orig_length;
        int dict_len = obj->stream - start; /* Dictionary should end where the stream begins */

        const char *pstr;
        struct objstm_struct *objstm = NULL;
        int xref                     = 0;

        /* Find and interpret the length dictionary value */
        length = find_length(pdf, obj, start, dict_len);

        orig_length = length;

        if (length > obj->stream_size) {
            cli_dbgmsg("cli_pdf: Stream length exceeds object length by %zu bytes. Length truncated to %zu bytes\n", length - obj->stream_size, obj->stream_size);
            noisy_warnmsg("Stream length exceeds object length by %zu bytes. Length truncated to %zu bytes\n", length - obj->stream_size, obj->stream_size);

            length = obj->stream_size;
        }

        if (!(obj->flags & (1 << OBJ_FILTER_FLATE)) && (length == 0)) {
            /*
             * If the length is unknown and this doesn't contain a FLATE encoded filter...
             * Calculate the length using the stream size, and trimming
             * off any newline/carriage returns from the end of the stream.
             */
            const char *q = start + obj->stream_size;
            length        = obj->stream_size;
            q--;

            if (length > 0) {
                if (*q == '\n') {
                    q--;
                    length--;

                    if (length > 0 && *q == '\r')
                        length--;
                } else if (*q == '\r') {
                    length--;
                }
            }

            cli_dbgmsg("pdf_extract_obj: calculated length %zu\n", length);
        } else {
            if (obj->stream_size > (size_t)length + 2) {
                cli_dbgmsg("cli_pdf: calculated length %zu < %zu\n",
                           length, obj->stream_size);
                length = obj->stream_size;
            }
        }

        if ((0 != orig_length) && (obj->stream_size > orig_length + 20)) {
            cli_dbgmsg("pdf_extract_obj: orig length: %zu, length: %zu, size: %zu\n",
                       orig_length, length, obj->stream_size);
            pdfobj_flag(pdf, obj, BAD_STREAMLEN);
        }

        if (0 == length) {
            length = obj->stream_size;
            if (0 == length) {
                cli_dbgmsg("pdf_extract_obj: Alleged or calculated stream length and stream buffer size both 0\n");

                /* Empty stream, nothing to scan */
                status = CL_SUCCESS;
                goto done;
            }
        }

        /* Check if XRef is enabled */
        if (cli_memstr(start, dict_len, "/XRef", strlen("/XRef"))) {
            xref = 1;
        }

        /*
         * Identify the DecodeParms, if available.
         */
        if (NULL != (pstr = pdf_getdict(start, &dict_len, "/DecodeParms"))) {
            cli_dbgmsg("pdf_extract_obj: Found /DecodeParms\n");
        } else if (NULL != (pstr = pdf_getdict(start, &dict_len, "/DP"))) {
            cli_dbgmsg("pdf_extract_obj: Found /DP\n");
        }

        if (pstr) {
            /* shift pstr left to "<<" for pdf_parse_dict */
            while ((*pstr == '<') && (pstr > start)) {
                pstr--;
                dict_len++;
            }

            /* shift pstr right to "<<" for pdf_parse_dict */
            while ((*pstr != '<') && (dict_len > 0)) {
                pstr++;
                dict_len--;
            }

            if (dict_len > 4) {
                pdf->parse_recursion_depth++;
                dparams = pdf_parse_dict(pdf, obj, obj->size, (char *)pstr, NULL);
                pdf->parse_recursion_depth--;
            } else {
                cli_dbgmsg("pdf_extract_obj: failed to locate DecodeParms dictionary start\n");
            }
        }

        /*
         * Go back to the start of the dictionary and check to see if the stream
         * is an object stream. If so, collect the relevant info.
         */
        dict_len = obj->stream - start;
        if (NULL != (pstr = pdf_getdict(start, &dict_len, "/Type/ObjStm"))) {
            int objstm_first  = -1;
            int objstm_length = -1;
            int objstm_n      = -1;

            cli_dbgmsg("pdf_extract_obj: Found /Type/ObjStm\n");

            dict_len = obj->stream - start;
            if (-1 == (objstm_first = pdf_readint(start, dict_len, "/First"))) {
                cli_warnmsg("pdf_extract_obj: Failed to find offset of first object in object stream\n");
            } else if (-1 == (objstm_length = pdf_readint(start, dict_len, "/Length"))) {
                cli_warnmsg("pdf_extract_obj: Failed to find length of object stream\n");
            } else if (-1 == (objstm_n = pdf_readint(start, dict_len, "/N"))) {
                cli_warnmsg("pdf_extract_obj: Failed to find num objects in object stream\n");
            } else {
                /* Add objstm to pdf struct, so it can be freed eventually */
                pdf->nobjstms++;
                pdf->objstms = cli_max_realloc_or_free(pdf->objstms, sizeof(struct objstm_struct *) * pdf->nobjstms);
                if (!pdf->objstms) {
                    cli_warnmsg("pdf_extract_obj: out of memory parsing object stream (%u)\n", pdf->nobjstms);
                    status = CL_EMEM;
                    goto done;
                }

                CLI_CALLOC_OR_GOTO_DONE(
                    objstm, 1, sizeof(struct objstm_struct),
                    cli_warnmsg("pdf_extract_obj: out of memory parsing object stream (%u)\n", pdf->nobjstms),
                    status = CL_EMEM);

                pdf->objstms[pdf->nobjstms - 1] = objstm;

                objstm->first        = (size_t)objstm_first;
                objstm->current      = (size_t)objstm_first;
                objstm->current_pair = 0;
                objstm->length       = (size_t)objstm_length;
                objstm->n            = (size_t)objstm_n;

                cli_dbgmsg("pdf_extract_obj: ObjStm first obj at offset %zu\n", objstm->first);
                cli_dbgmsg("pdf_extract_obj: ObjStm length is %zu bytes\n", objstm->length);
                cli_dbgmsg("pdf_extract_obj: ObjStm should contain %zu objects\n", objstm->n);
            }
        }

        sum = pdf_decodestream(pdf, obj, dparams, obj->stream, (uint32_t)length, xref, fout, &status, objstm);
        if ((CL_SUCCESS != status) && (CL_VIRUS != status)) {
            cli_dbgmsg("Error decoding stream! Error code: %d\n", status);

            /* It's ok if we couldn't decode the stream,
             *   make a best effort to keep parsing...
             *   Unless we were unable to allocate memory.*/
            if (CL_EMEM == status) {
                goto done;
            }
            if (CL_EPARSE == status) {
                status = CL_SUCCESS;
            }

            if (NULL != objstm) {
                /*
                 * If we were expecting an objstm and there was a failure...
                 *   discard the memory for last object stream.
                 */
                if (NULL != pdf->objstms) {
                    if (NULL != pdf->objstms[pdf->nobjstms - 1]) {
                        if (NULL != pdf->objstms[pdf->nobjstms - 1]->streambuf) {
                            free(pdf->objstms[pdf->nobjstms - 1]->streambuf);
                            pdf->objstms[pdf->nobjstms - 1]->streambuf = NULL;
                        }
                        free(pdf->objstms[pdf->nobjstms - 1]);
                        pdf->objstms[pdf->nobjstms - 1] = NULL;
                    }

                    /* Pop the objstm off the end of the pdf->objstms array. */
                    if (pdf->nobjstms > 0) {
                        pdf->nobjstms--;
                        if (0 == pdf->nobjstms) {
                            free(pdf->objstms);
                            pdf->objstms = NULL;
                        } else {
                            pdf->objstms = cli_max_realloc_or_free(pdf->objstms, sizeof(struct objstm_struct *) * pdf->nobjstms);

                            if (!pdf->objstms) {
                                cli_warnmsg("pdf_extract_obj: out of memory when shrinking down objstm array\n");
                                status = CL_EMEM;
                                goto done;
                            }
                        }
                    } else {
                        /* hm.. this shouldn't happen */
                        cli_warnmsg("pdf_extract_obj: Failure counting objstms.\n");
                    }
                }
            }
        }

        if (dparams) {
            pdf_free_dict(dparams);
            dparams = NULL;
        }

        if (status == CL_VIRUS) {
            /* skip post-filter scan */
            goto done;
        }

    } else if (obj->flags & (1 << OBJ_JAVASCRIPT)) {
        const char *q2;
        const char *q = (obj->objstm) ? (const char *)(obj->start + obj->objstm->streambuf)
                                      : (const char *)(obj->start + pdf->map);

        /* TODO: get obj-endobj size */
        off_t bytesleft = obj->size;

        if (bytesleft < 0) {
            goto scan_extracted_objects;
        }

        do {
            char *js      = NULL;
            size_t js_len = 0;
            const char *q3;

            q2 = cli_memstr(q, bytesleft, "/JavaScript", 11);
            if (!q2)
                break;

            bytesleft -= q2 - q + 11;
            q = q2 + 11;

            js = pdf_readstring(q, bytesleft, "/JS", NULL, &q2, !(pdf->flags & (1 << DECRYPTABLE_PDF)));
            bytesleft -= q2 - q;
            q = q2;

            if (js) {
                char *decrypted = NULL;
                const char *out = js;
                js_len          = strlen(js);
                if (pdf->flags & (1 << DECRYPTABLE_PDF)) {
                    cli_dbgmsg("pdf_extract_obj: encrypted string\n");
                    decrypted = decrypt_any(pdf, obj->id, js, &js_len, pdf->enc_method_string);

                    if (decrypted) {
                        noisy_msg(pdf, "pdf_extract_obj: decrypted Javascript string from obj %u %u\n", obj->id >> 8, obj->id & 0xff);
                        out = decrypted;
                    }
                }

                if ((pdf->ctx->options->general & CL_SCAN_GENERAL_COLLECT_METADATA) && pdf->ctx->this_layer_metadata_json != NULL) {
                    struct json_object *pdfobj, *jbig2arr;

                    if (NULL == (pdfobj = cli_jsonobj(pdf->ctx->this_layer_metadata_json, "PDFStats"))) {
                        cli_errmsg("pdf_extract_obj: failed to get PDFStats JSON object\n");
                    } else if (NULL == (jbig2arr = cli_jsonarray(pdfobj, "JavascriptObjects"))) {
                        cli_errmsg("pdf_extract_obj: failed to get JavascriptObjects JSON object\n");
                    } else {
                        cli_jsonint_array(jbig2arr, obj->id >> 8);
                    }
                }

                pdf->stats.njs++;

                if (filter_writen(pdf, obj, fout, out, js_len, (size_t *)&sum) != js_len) {
                    status = CL_EWRITE;
                    free(js);
                    break;
                }

                free(decrypted);
                free(js);
                cli_dbgmsg("pdf_extract_obj: bytesleft: %d\n", (int)bytesleft);

                if (bytesleft > 0) {
                    q2 = pdf_nextobject(q, bytesleft);
                    if (!q2)
                        q2 = q + bytesleft - 1;

                    /* non-conforming PDFs that don't escape ) properly */
                    q3 = memchr(q, ')', bytesleft);
                    if (q3 && q3 < q2)
                        q2 = q3;

                    while (q2 > q && q2[-1] == ' ')
                        q2--;

                    if (q2 > q) {
                        q--;
                        filter_writen(pdf, obj, fout, q, q2 - q, (size_t *)&sum);
                        q++;
                    }
                }
            }

        } while (bytesleft > 0);
    } else {
        off_t bytesleft = obj->size;

        if (bytesleft < 0)
            status = CL_EFORMAT;
        else {
            if (obj->objstm) {
                if (filter_writen(pdf, obj, fout, obj->objstm->streambuf + obj->start, bytesleft, (size_t *)&sum) != (size_t)bytesleft) {
                    status = CL_EWRITE;
                }
            } else {
                if (filter_writen(pdf, obj, fout, pdf->map + obj->start, bytesleft, (size_t *)&sum) != (size_t)bytesleft) {
                    status = CL_EWRITE;
                }
            }
        }
    }

scan_extracted_objects:

    cli_dbgmsg("pdf_extract_obj: extracted %td bytes %u %u obj\n", sum, obj->id >> 8, obj->id & 0xff);
    cli_dbgmsg("pdf_extract_obj:         ... to %s\n", fullname);

    if ((flags & PDF_EXTRACT_OBJ_SCAN) && (sum > 0)) {
        /*
         * Scan the extracted objects for potential threats.
         * PDF_EXTRACT_OBJ_SCAN is used when the extracted object should be scanned and then deleted.
         */

        /* TODO: invoke bytecode on this pdf obj with metainformation associated */
        lseek(fout, 0, SEEK_SET);
        ret = cli_magic_scan_desc(fout, fullname, pdf->ctx, NULL, LAYER_ATTRIBUTES_NONE);
        if (ret != CL_SUCCESS) {
            status = ret;
            goto done;
        }

        if ((status == CL_CLEAN) || (status == CL_VIRUS)) {
            ret = run_pdf_hooks(pdf, PDF_PHASE_POSTDUMP, fout, fullname);
            if (ret == CL_VIRUS) {
                status = ret;
                goto done;
            }
        }

        if (((status == CL_CLEAN) || (status == CL_VIRUS)) && (obj->flags & (1 << OBJ_CONTENTS))) {
            lseek(fout, 0, SEEK_SET);
            cli_dbgmsg("pdf_extract_obj: dumping contents from obj %u %u\n", obj->id >> 8, obj->id & 0xff);

            ret = pdf_scan_contents(fout, pdf, obj);
            if (ret != CL_SUCCESS) {
                status = ret;
                goto done;
            }
        }
    }

done:

    if (NULL != dparams) {
        pdf_free_dict(dparams);
    }

    if (-1 != fout) {
        close(fout);
    }

    if (extracted_an_object && (flags & PDF_EXTRACT_OBJ_SCAN) && !pdf->ctx->engine->keeptmp) {
        /*
         * When PDF_EXTRACT_OBJ_SCAN is set, the goal is to extract, scan, and delete it.
         * If it was not set, we would keep it and the path is passed back obj->path for the caller to use.
         * That's why we wouldn't unlink it here.
         */
        if (cli_unlink(fullname) && status != CL_VIRUS) {
            status = CL_EUNLINK;
        }
    }

    return status;
}

enum objstate {
    STATE_NONE,
    STATE_S,
    STATE_FILTER,
    STATE_JAVASCRIPT,
    STATE_OPENACTION,
    STATE_LINEARIZED,
    STATE_LAUNCHACTION,
    STATE_CONTENTS,
    STATE_URI,
    STATE_ANY /* for actions table below */
};

#define NAMEFLAG_NONE 0x0
#define NAMEFLAG_HEURISTIC 0x1

struct pdfname_action {
    const char *pdfname;
    enum pdf_objflags set_objflag; /* OBJ_DICT is noop */
    enum objstate from_state;      /* STATE_NONE is noop */
    enum objstate to_state;
    uint32_t nameflags;
    void (*pdf_stats_cb)(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act);
};

static struct pdfname_action pdfname_actions[] = {
    {"ASCIIHexDecode", OBJ_FILTER_AH, STATE_FILTER, STATE_FILTER, NAMEFLAG_HEURISTIC, ASCIIHexDecode_cb},
    {"ASCII85Decode", OBJ_FILTER_A85, STATE_FILTER, STATE_FILTER, NAMEFLAG_HEURISTIC, ASCII85Decode_cb},
    {"A85", OBJ_FILTER_A85, STATE_FILTER, STATE_FILTER, NAMEFLAG_HEURISTIC, ASCII85Decode_cb},
    {"AHx", OBJ_FILTER_AH, STATE_FILTER, STATE_FILTER, NAMEFLAG_HEURISTIC, ASCIIHexDecode_cb},
    {"EmbeddedFile", OBJ_EMBEDDED_FILE, STATE_NONE, STATE_NONE, NAMEFLAG_HEURISTIC, EmbeddedFile_cb},
    {"FlateDecode", OBJ_FILTER_FLATE, STATE_FILTER, STATE_FILTER, NAMEFLAG_HEURISTIC, FlateDecode_cb},
    {"Fl", OBJ_FILTER_FLATE, STATE_FILTER, STATE_FILTER, NAMEFLAG_HEURISTIC, FlateDecode_cb},
    {"Image", OBJ_IMAGE, STATE_NONE, STATE_NONE, NAMEFLAG_HEURISTIC, Image_cb},
    {"LZWDecode", OBJ_FILTER_LZW, STATE_FILTER, STATE_FILTER, NAMEFLAG_HEURISTIC, LZWDecode_cb},
    {"LZW", OBJ_FILTER_LZW, STATE_FILTER, STATE_FILTER, NAMEFLAG_HEURISTIC, LZWDecode_cb},
    {"RunLengthDecode", OBJ_FILTER_RL, STATE_FILTER, STATE_FILTER, NAMEFLAG_HEURISTIC, RunLengthDecode_cb},
    {"RL", OBJ_FILTER_RL, STATE_FILTER, STATE_FILTER, NAMEFLAG_HEURISTIC, RunLengthDecode_cb},
    {"CCITTFaxDecode", OBJ_FILTER_FAX, STATE_FILTER, STATE_FILTER, NAMEFLAG_HEURISTIC, CCITTFaxDecode_cb},
    {"CCF", OBJ_FILTER_FAX, STATE_FILTER, STATE_FILTER, NAMEFLAG_HEURISTIC, CCITTFaxDecode_cb},
    {"JBIG2Decode", OBJ_FILTER_DCT, STATE_FILTER, STATE_FILTER, NAMEFLAG_HEURISTIC, JBIG2Decode_cb},
    {"DCTDecode", OBJ_FILTER_DCT, STATE_FILTER, STATE_FILTER, NAMEFLAG_HEURISTIC, DCTDecode_cb},
    {"DCT", OBJ_FILTER_DCT, STATE_FILTER, STATE_FILTER, NAMEFLAG_HEURISTIC, DCTDecode_cb},
    {"JPXDecode", OBJ_FILTER_JPX, STATE_FILTER, STATE_FILTER, NAMEFLAG_HEURISTIC, JPXDecode_cb},
    {"Crypt", OBJ_FILTER_CRYPT, STATE_FILTER, STATE_NONE, NAMEFLAG_HEURISTIC, Crypt_cb},
    {"Standard", OBJ_FILTER_STANDARD, STATE_FILTER, STATE_FILTER, NAMEFLAG_HEURISTIC, Standard_cb},
    {"Sig", OBJ_SIGNED, STATE_ANY, STATE_NONE, NAMEFLAG_HEURISTIC, Sig_cb},
    {"V", OBJ_SIGNED, STATE_ANY, STATE_NONE, NAMEFLAG_HEURISTIC, NULL},
    {"R", OBJ_SIGNED, STATE_ANY, STATE_NONE, NAMEFLAG_HEURISTIC, NULL},
    {"Linearized", OBJ_DICT, STATE_NONE, STATE_LINEARIZED, NAMEFLAG_HEURISTIC, NULL},
    {"Filter", OBJ_HASFILTERS, STATE_ANY, STATE_FILTER, NAMEFLAG_HEURISTIC, NULL},
    {"JavaScript", OBJ_JAVASCRIPT, STATE_ANY, STATE_JAVASCRIPT, NAMEFLAG_HEURISTIC, JavaScript_cb},
    {"Length", OBJ_DICT, STATE_FILTER, STATE_NONE, NAMEFLAG_HEURISTIC, NULL},
    {"S", OBJ_DICT, STATE_NONE, STATE_S, NAMEFLAG_HEURISTIC, NULL},
    {"Type", OBJ_DICT, STATE_NONE, STATE_NONE, NAMEFLAG_HEURISTIC, NULL},
    {"OpenAction", OBJ_OPENACTION, STATE_ANY, STATE_OPENACTION, NAMEFLAG_HEURISTIC, OpenAction_cb},
    {"Launch", OBJ_LAUNCHACTION, STATE_ANY, STATE_LAUNCHACTION, NAMEFLAG_HEURISTIC, Launch_cb},
    {"Page", OBJ_PAGE, STATE_NONE, STATE_NONE, NAMEFLAG_HEURISTIC, Page_cb},
    {"Contents", OBJ_CONTENTS, STATE_NONE, STATE_CONTENTS, NAMEFLAG_HEURISTIC, NULL},
    {"Author", OBJ_DICT, STATE_NONE, STATE_NONE, NAMEFLAG_NONE, Author_cb},
    {"Producer", OBJ_DICT, STATE_NONE, STATE_NONE, NAMEFLAG_NONE, Producer_cb},
    {"CreationDate", OBJ_DICT, STATE_NONE, STATE_NONE, NAMEFLAG_NONE, CreationDate_cb},
    {"ModDate", OBJ_DICT, STATE_NONE, STATE_NONE, NAMEFLAG_NONE, ModificationDate_cb},
    {"Creator", OBJ_DICT, STATE_NONE, STATE_NONE, NAMEFLAG_NONE, Creator_cb},
    {"Title", OBJ_DICT, STATE_NONE, STATE_NONE, NAMEFLAG_NONE, Title_cb},
    {"Keywords", OBJ_DICT, STATE_NONE, STATE_NONE, NAMEFLAG_NONE, Keywords_cb},
    {"Subject", OBJ_DICT, STATE_NONE, STATE_NONE, NAMEFLAG_NONE, Subject_cb},
    {"Pages", OBJ_DICT, STATE_NONE, STATE_NONE, NAMEFLAG_NONE, Pages_cb},
    {"Colors", OBJ_DICT, STATE_NONE, STATE_NONE, NAMEFLAG_NONE, Colors_cb},
    {"RichMedia", OBJ_DICT, STATE_NONE, STATE_NONE, NAMEFLAG_NONE, RichMedia_cb},
    {"AcroForm", OBJ_DICT, STATE_NONE, STATE_NONE, NAMEFLAG_NONE, AcroForm_cb},
    {"XFA", OBJ_DICT, STATE_NONE, STATE_NONE, NAMEFLAG_NONE, XFA_cb},
    {"URI", OBJ_DICT, STATE_NONE, STATE_URI, NAMEFLAG_NONE, URI_cb}};

#define KNOWN_FILTERS ((1 << OBJ_FILTER_AH) | (1 << OBJ_FILTER_RL) | (1 << OBJ_FILTER_A85) | (1 << OBJ_FILTER_FLATE) | (1 << OBJ_FILTER_LZW) | (1 << OBJ_FILTER_FAX) | (1 << OBJ_FILTER_DCT) | (1 << OBJ_FILTER_JPX) | (1 << OBJ_FILTER_CRYPT))

static void handle_pdfname(struct pdf_struct *pdf, struct pdf_obj *obj, const char *pdfname, int escapes, enum objstate *state)
{
    struct pdfname_action *act = NULL;
    unsigned j;

    // If we process STATE_S we will get duplicate URIs from the prior STATE_NONE
    if (!strcmp(pdfname, "URI") && *state == STATE_S) {
        *state = STATE_NONE;
        return;
    }

    obj->statsflags |= OBJ_FLAG_PDFNAME_DONE;

    // Check to see if this object was observed to be a reference to a URI
    if (obj->flags & (1 << OBJ_URI)) {
        // Forcing URI here, so we run the pdf_stats_cb for a URI.
        pdfname = "URI";
    }

    for (j = 0; j < sizeof(pdfname_actions) / sizeof(pdfname_actions[0]); j++) {
        if (!strcmp(pdfname, pdfname_actions[j].pdfname)) {
            act = &pdfname_actions[j];
            break;
        }
    }

    if (!act) {
        /* these are digital signature objects, filter doesn't matter,
         * we don't need them anyway */
        if (*state == STATE_FILTER && !(obj->flags & (1 << OBJ_SIGNED)) && !(obj->flags & KNOWN_FILTERS)) {
            cli_dbgmsg("handle_pdfname: unknown filter %s\n", pdfname);
            obj->flags |= 1 << OBJ_FILTER_UNKNOWN;
        }

        return;
    }

    /* record filter order */
    if (obj->numfilters < PDF_FILTERLIST_MAX && (*state == STATE_FILTER) && ((1 << act->set_objflag) & KNOWN_FILTERS))
        obj->filterlist[obj->numfilters++] = act->set_objflag;

    if ((act->nameflags & NAMEFLAG_HEURISTIC) && escapes) {
        /* if a commonly used PDF name is escaped that is certainly
           suspicious. */
        cli_dbgmsg("handle_pdfname: pdfname %s is escaped\n", pdfname);
        pdfobj_flag(pdf, obj, ESCAPED_COMMON_PDFNAME);
    }

    if ((act->pdf_stats_cb))
        act->pdf_stats_cb(pdf, obj, act);

    if (act->from_state == *state || act->from_state == STATE_ANY) {
        *state = act->to_state;

        if (*state == STATE_FILTER && act->set_objflag != OBJ_DICT && (obj->flags & (1 << act->set_objflag))) {
            cli_dbgmsg("handle_pdfname: duplicate stream filter %s\n", pdfname);
            pdfobj_flag(pdf, obj, BAD_STREAM_FILTERS);
        }

        obj->flags |= 1 << act->set_objflag;
    } else {
        /* auto-reset states */
        switch (*state) {
            case STATE_S:
                *state = STATE_NONE;
                break;
            default:
                break;
        }
    }
}

static void pdf_parse_encrypt(struct pdf_struct *pdf, const char *enc, int len)
{
    const char *q, *q2;
    unsigned long objid;
    unsigned long genid;
    long temp_long;

    if (len >= 16 && !strncmp(enc, "/EncryptMetadata", 16)) {
        q = cli_memstr(enc + 16, len - 16, "/Encrypt", 8);
        if (!q)
            return;

        len -= q - enc;
        enc = q;
    }

    q = enc + 8;
    len -= 8;
    q2 = pdf_nextobject(q, len);
    if (!q2 || !isdigit(*q2))
        return;
    len -= q2 - q;
    q = q2;

    if (CL_SUCCESS != cli_strntol_wrap(q2, (size_t)len, 0, 10, &temp_long)) {
        cli_dbgmsg("pdf_parse_encrypt: Found Encrypt dictionary but failed to parse objid\n");
        return;
    } else if (temp_long < 0) {
        cli_dbgmsg("pdf_parse_encrypt: Encountered invalid negative objid (%ld).\n", temp_long);
        return;
    }
    objid = (unsigned long)temp_long;

    objid = objid << 8;
    q2    = pdf_nextobject(q, len);
    if (!q2 || !isdigit(*q2))
        return;
    len -= q2 - q;
    q = q2;

    if (CL_SUCCESS != cli_strntol_wrap(q2, (size_t)len, 0, 10, &temp_long)) {
        cli_dbgmsg("pdf_parse_encrypt: Found Encrypt dictionary but failed to parse genid\n");
        return;
    } else if (temp_long < 0) {
        cli_dbgmsg("pdf_parse_encrypt: Encountered invalid negative genid (%ld).\n", temp_long);
        return;
    }
    genid = (unsigned long)temp_long;

    objid |= genid & 0xff;
    q2 = pdf_nextobject(q, len);
    if (!q2 || *q2 != 'R')
        return;

    cli_dbgmsg("pdf_parse_encrypt: Encrypt dictionary in obj %lu %lu\n", objid >> 8, objid & 0xff);

    pdf->enc_objid = objid;
}

static void pdf_parse_trailer(struct pdf_struct *pdf, const char *s, long length)
{
    const char *enc;

    enc = cli_memstr(s, length, "/Encrypt", 8);
    if (enc) {
        char *newID;
        unsigned int newIDlen = 0;

        pdf->flags |= 1 << ENCRYPTED_PDF;
        pdf_parse_encrypt(pdf, enc, s + length - enc);
        newID = pdf_readstring(s, length, "/ID", &newIDlen, NULL, false);

        if (newID) {
            free(pdf->fileID);
            pdf->fileID    = newID;
            pdf->fileIDlen = newIDlen;
        }
    }
}

void pdf_parseobj(struct pdf_struct *pdf, struct pdf_obj *obj)
{
    /* enough to hold common pdf names, we don't need all the names */
    char pdfname[64] = {0};
    const char *q2, *q3;
    const char *nextobj = NULL, *nextopen = NULL, *nextclose = NULL;
    const char *q    = NULL;
    const char *dict = NULL, *enddict = NULL, *start = NULL;
    off_t dict_length = 0, full_dict_length = 0, bytesleft = 0;
    size_t i         = 0;
    unsigned filters = 0, blockopens = 0;
    enum objstate objstate = STATE_NONE;

    json_object *pdfobj = NULL, *jsonobj = NULL;

    if (NULL == pdf || NULL == obj) {
        cli_warnmsg("pdf_parseobj: invalid arguments\n");
        return;
    }

    cli_dbgmsg("pdf_parseobj: Parsing object %u %u\n", obj->id >> 8, obj->id & 0xff);

    if (obj->objstm) {
        if ((size_t)obj->start > obj->objstm->streambuf_len) {
            cli_dbgmsg("pdf_parseobj: %u %u obj: obj start (%u) is greater than size of object stream (%zu).\n",
                       obj->id >> 8, obj->id & 0xff, obj->start, obj->objstm->streambuf_len);
            return;
        }
        q = (const char *)(obj->start + obj->objstm->streambuf);
    } else {
        if ((size_t)obj->start > pdf->size) {
            cli_dbgmsg("pdf_parseobj: %u %u obj: obj start (%u) is greater than size of PDF (%lld).\n",
                       obj->id >> 8, obj->id & 0xff, obj->start, (long long)pdf->size);
            return;
        }
        q = (const char *)(obj->start + pdf->map);
    }
    start = q;

    if (obj->size <= 0)
        return;

    if (obj->objstm) {
        bytesleft = MIN(obj->size, obj->objstm->streambuf_len - obj->start);
    } else {
        bytesleft = MIN(obj->size, pdf->size - obj->start);
    }

    /* For objects that aren't already in an object stream^, check if they contain a stream.
     * ^Objects in object streams aren't supposed to contain streams, so we don't check them. */
    if (NULL == obj->objstm) {
        /* Check if object contains stream */
        cl_error_t has_stream;
        const char *stream = NULL;
        size_t stream_size = 0;

        has_stream = find_stream_bounds(
            start,
            obj->size,
            &stream,
            &stream_size,
            (pdf->enc_method_stream <= ENC_IDENTITY) && (pdf->enc_method_embeddedfile <= ENC_IDENTITY));

        if ((CL_SUCCESS == has_stream) ||
            (CL_EFORMAT == has_stream)) {
            /* Stream found. Store this fact and the stream bounds. */
            cli_dbgmsg("pdf_parseobj: %u %u contains stream, size: %zu\n", obj->id >> 8, obj->id & 0xff, stream_size);
            obj->flags |= (1 << OBJ_STREAM);
            obj->stream      = stream;
            obj->stream_size = stream_size;
        }
    }

    /* find start of dictionary */
    do {
        nextobj = pdf_nextobject(q, bytesleft);
        bytesleft -= nextobj - q;

        if (!nextobj || bytesleft < 0) {
            cli_dbgmsg("pdf_parseobj: %u %u obj: no dictionary\n", obj->id >> 8, obj->id & 0xff);

            if (!(pdfobj) && pdf->ctx->this_layer_metadata_json != NULL) {
                pdfobj = cli_jsonobj(pdf->ctx->this_layer_metadata_json, "PDFStats");
                if (!(pdfobj))
                    return;
            }

            if (pdfobj) {
                if (!(jsonobj))
                    jsonobj = cli_jsonarray(pdfobj, "ObjectsWithoutDictionaries");
                if (jsonobj)
                    cli_jsonint_array(jsonobj, obj->id >> 8);
            }

            return;
        }

        /*
         * Opening `<` for object's dictionary may be back 1 character,
         * provided q is not at the start of the buffer (it shouldn't be).
         */
        if (obj->objstm) {
            if (obj->objstm->streambuf == q) {
                q3 = memchr(q, '<', nextobj - q);
            } else {
                q3 = memchr(q - 1, '<', nextobj - q + 1);
            }
        } else {
            if (pdf->map == q) {
                q3 = memchr(q, '<', nextobj - q);
            } else {
                q3 = memchr(q - 1, '<', nextobj - q + 1);
            }
        }
        nextobj++;
        bytesleft--;
        q = nextobj;
    } while (!q3 || q3[1] != '<');
    dict = q3 + 2;
    q    = dict;
    blockopens++;
    bytesleft = obj->size - (q - start);
    enddict   = q + bytesleft - 1;

    /* find end of dictionary block */
    if (bytesleft < 0) {
        cli_dbgmsg("pdf_parseobj: %u %u obj: broken dictionary\n", obj->id >> 8, obj->id & 0xff);

        if (!(pdfobj) && pdf->ctx->this_layer_metadata_json != NULL) {
            pdfobj = cli_jsonobj(pdf->ctx->this_layer_metadata_json, "PDFStats");
            if (!(pdfobj))
                return;
        }

        if (pdfobj) {
            if (!(jsonobj))
                jsonobj = cli_jsonarray(pdfobj, "ObjectsWithBrokenDictionaries");
            if (jsonobj)
                cli_jsonint_array(jsonobj, obj->id >> 8);
        }

        return;
    }

    /* while still looking ... */
    while ((q < enddict - 1) && (blockopens > 0)) {
        /* find next close */
        nextclose = memchr(q, '>', enddict - q);
        if (nextclose && (nextclose[1] == '>')) {
            /* check for nested open */
            while ((nextopen = memchr(q - 1, '<', nextclose - q + 1)) != NULL) {
                if (nextopen[1] == '<') {
                    /* nested open */
                    blockopens++;
                    q = nextopen + 2;
                } else {
                    /* unmatched < before next close */
                    q = nextopen + 2;
                }
            }
            /* close block */
            blockopens--;
            q = nextclose + 2;
        } else if (nextclose) {
            /* found one > but not two */
            q = nextclose + 2;
        } else {
            /* next closing not found */
            break;
        }
    }

    /* Was end of dictionary found? */
    if (blockopens) {
        /* probably truncated */
        cli_dbgmsg("pdf_parseobj: %u %u obj broken dictionary\n", obj->id >> 8, obj->id & 0xff);

        if (!(pdfobj) && pdf->ctx->this_layer_metadata_json != NULL) {
            pdfobj = cli_jsonobj(pdf->ctx->this_layer_metadata_json, "PDFStats");
            if (!(pdfobj))
                return;
        }

        if (pdfobj) {
            if (!(jsonobj))
                jsonobj = cli_jsonarray(pdfobj, "ObjectsWithBrokenDictionaries");
            if (jsonobj)
                cli_jsonint_array(jsonobj, obj->id >> 8);
        }

        return;
    }

    enddict = nextclose;
    obj->flags |= 1 << OBJ_DICT;
    full_dict_length = dict_length = enddict - dict;

    /* This code prints the dictionary content.
    {
        char * dictionary = malloc(dict_length + 1);
        if (dictionary) {
            for (i = 0; i < dict_length; i++) {
                if (dict[i] == '\r')
                    dictionary[i] = '\n';
                else if (isprint(dict[i]) || isspace(dict[i]))
                    dictionary[i] = dict[i];
                else
                    dictionary[i] = '*';
            }
            dictionary[dict_length] = '\0';
            cli_dbgmsg("pdf_parseobj: dictionary is <<%s>>\n", dictionary);
            free(dictionary);
        }
    }
    */

    /*  process pdf names */
    for (q = dict; dict_length > 0;) {
        int escapes = 0, breakout = 0;
        q2 = memchr(q, '/', dict_length);
        if (!q2)
            break;

        dict_length -= q2 - q;
        q = q2;
        /* normalize PDF names */
        for (i = 0; dict_length > 0 && (i < sizeof(pdfname) - 1); i++) {
            q++;
            dict_length--;

            if (*q == '#') {
                if (cli_hex2str_to(q + 1, pdfname + i, 2) == -1)
                    break;

                q += 2;
                dict_length -= 2;
                escapes = 1;
                continue;
            }

            switch (*q) {
                case ' ':
                case '\t':
                case '\r':
                case '\n':
                case '/':
                case '>':
                case '[':
                case ']':
                case '<':
                case '(':
                    breakout = 1;
            }

            if (breakout)
                break;

            pdfname[i] = *q;
        }

        pdfname[i] = '\0';

        handle_pdfname(pdf, obj, pdfname, escapes, &objstate);
        if (objstate == STATE_LINEARIZED) {
            long trailer_end, trailer;

            pdfobj_flag(pdf, obj, LINEARIZED_PDF);
            objstate    = STATE_NONE;
            trailer_end = pdf_readint(dict, full_dict_length, "/H");
            if ((trailer_end > 0) && ((size_t)trailer_end < pdf->size)) {
                trailer = trailer_end - 1024;
                if (trailer < 0)
                    trailer = 0;

                q2 = pdf->map + trailer;
                cli_dbgmsg("pdf_parseobj: looking for trailer in linearized pdf: %ld - %ld\n", trailer, trailer_end);
                pdf_parse_trailer(pdf, q2, trailer_end - trailer);
                if (pdf->fileID)
                    cli_dbgmsg("pdf_parseobj: found fileID\n");
            }
        }

        if (objstate == STATE_LAUNCHACTION)
            pdfobj_flag(pdf, obj, HAS_LAUNCHACTION);
        if (dict_length > 0 && (objstate == STATE_JAVASCRIPT ||
                                objstate == STATE_OPENACTION ||
                                objstate == STATE_CONTENTS ||
                                objstate == STATE_URI)) {
            off_t dict_remaining = dict_length;

            if (objstate == STATE_OPENACTION)
                pdfobj_flag(pdf, obj, HAS_OPENACTION);

            q2 = pdf_nextobject(q, dict_remaining);
            if (q2 && isdigit(*q2)) {
                const char *q2_old = NULL;
                unsigned long objid;
                unsigned long genid;
                long temp_long;

                dict_remaining -= (off_t)(q2 - q);

                if (CL_SUCCESS != cli_strntol_wrap(q2, (size_t)dict_remaining, 0, 10, &temp_long)) {
                    cli_dbgmsg("pdf_parseobj: failed to parse object objid\n");
                    return;
                } else if (temp_long < 0) {
                    cli_dbgmsg("pdf_parseobj: Encountered invalid negative genid (%ld).\n", temp_long);
                    return;
                }
                objid = (unsigned long)temp_long;

                objid = objid << 8;

                while ((dict_remaining > 0) && isdigit(*q2)) {
                    q2++;
                    dict_remaining--;
                }

                q2_old = q2;
                q2     = pdf_nextobject(q2, dict_remaining);
                if (q2 && isdigit(*q2)) {
                    dict_remaining -= (off_t)(q2 - q2_old);
                    if (CL_SUCCESS != cli_strntol_wrap(q2, (size_t)dict_remaining, 0, 10, &temp_long)) {
                        cli_dbgmsg("pdf_parseobj: failed to parse object genid\n");
                        return;
                    } else if (temp_long < 0) {
                        cli_dbgmsg("pdf_parseobj: Encountered invalid negative genid (%ld).\n", temp_long);
                        return;
                    }
                    genid = (unsigned long)temp_long;

                    objid |= genid & 0xff;

                    q2 = pdf_nextobject(q2, dict_remaining);
                    if (q2 && *q2 == 'R') {
                        struct pdf_obj *obj2;

                        cli_dbgmsg("pdf_parseobj: found %s stored in indirect object %lu %lu\n", pdfname, objid >> 8, objid & 0xff);
                        obj2 = find_obj(pdf, obj, objid);
                        if (obj2) {
                            enum pdf_objflags flag = OBJ_STREAM;

                            switch (objstate) {
                                case STATE_JAVASCRIPT:
                                    flag = OBJ_JAVASCRIPT;
                                    break;
                                case STATE_OPENACTION:
                                    flag = OBJ_OPENACTION;
                                    break;
                                case STATE_CONTENTS:
                                    flag = OBJ_CONTENTS;
                                    break;
                                case STATE_URI:
                                    flag = OBJ_URI;
                                    break;
                                default:
                                    cli_dbgmsg("pdf_parseobj: Unexpected object type\n");
                                    return;
                            }

                            obj->flags &= ~(1 << flag); /* Disable flag for current object ...                   */
                            obj2->flags |= 1 << flag;   /* ... and set the flag for the indirect object instead! */
                        } else {
                            pdfobj_flag(pdf, obj, BAD_INDOBJ);
                        }
                    }
                }
            }

            objstate = STATE_NONE;
        }
    }

    for (i = 0; i < sizeof(pdfname_actions) / sizeof(pdfname_actions[0]); i++) {
        const struct pdfname_action *act = &pdfname_actions[i];

        if ((obj->flags & (1 << act->set_objflag)) &&
            act->from_state == STATE_FILTER &&
            act->to_state == STATE_FILTER &&
            act->set_objflag != OBJ_FILTER_CRYPT &&
            act->set_objflag != OBJ_FILTER_STANDARD) {
            filters++;
        }
    }

    if (filters > 2) {
        /* more than 2 non-crypt filters */
        pdfobj_flag(pdf, obj, MANY_FILTERS);
    }

    if (obj->flags & ((1 << OBJ_SIGNED) | KNOWN_FILTERS))
        obj->flags &= ~(1 << OBJ_FILTER_UNKNOWN);

    if (obj->flags & (1 << OBJ_FILTER_UNKNOWN))
        pdfobj_flag(pdf, obj, UNKNOWN_FILTER);

    cli_dbgmsg("pdf_parseobj: %u %u obj flags: %02x\n", obj->id >> 8, obj->id & 0xff, obj->flags);
}

/**
 * @brief   Given a pointer to a dictionary object and a key, get the key's value.
 *
 * @param q0            Offset of the start of the dictionary.
 * @param[in,out] len   In: The number of bytes in the dictionary.
 *                      Out: The number of bytes remaining from the start
 *                           of the value to the end of the dict
 * @param key           Null terminated 'key' to search for.
 * @return const char*  Address of the dictionary key's 'value'.
 */
static const char *pdf_getdict(const char *q0, int *len, const char *key)
{
    const char *q;

    if (*len <= 0) {
        cli_dbgmsg("pdf_getdict: bad length %d\n", *len);
        return NULL;
    }

    if (!q0)
        return NULL;

    /* find the key */
    q = cli_memstr(q0, *len, key, strlen(key));
    if (!q) {
        cli_dbgmsg("pdf_getdict: %s not found in dict\n", key);
        return NULL;
    }

    *len -= q - q0;
    q0 = q;

    /* find the start of the value object */
    q = pdf_nextobject(q0 + 1, *len - 1);
    if (!q) {
        cli_dbgmsg("pdf_getdict: %s is invalid in dict\n", key);
        return NULL;
    }

    /* if the value is a dictionary object, include the < > brackets.*/
    while (q > q0 && (q[-1] == '<' || q[-1] == '\n'))
        q--;

    *len -= q - q0;
    return q;
}

/**
 * @brief Read the value string from a PDF dictionary key/value pair.
 *
 * @param q0            A pointer into the PDF dictionary.
 * @param len           The bytes remaining in the file.
 * @param key           The key we're looking for.
 * @param [out] slen    The length of the output string
 * @param [out] qend    The pointer we wound up at, after the end of the value.
 * @param noescape      Select 'true' to ignore escape characters, 'false' to process them.
 * @return char*
 */
static char *pdf_readstring(const char *q0, int len, const char *key, unsigned *slen, const char **qend, bool noescape)
{
    char *s, *s0;
    const char *start, *q, *end;
    if (slen)
        *slen = 0;

    if (qend)
        *qend = q0;

    q = pdf_getdict(q0, &len, key);
    if (!q || len <= 0)
        return NULL;

    if (*q == '(') {
        int paren = 1;
        start     = ++q;
        len--;
        for (; paren > 0 && len > 0; q++, len--) {
            switch (*q) {
                case '(':
                    paren++;
                    break;
                case ')':
                    paren--;
                    break;
                case '\\':
                    q++;
                    len--;
                    break;
                default:
                    break;
            }
        }

        if (len <= 0) {
            cli_errmsg("pdf_readstring: Invalid, truncated dictionary.\n");
            return NULL;
        }

        if (qend)
            *qend = q;

        q--;
        len = q - start;
        s0 = s = cli_max_malloc(len + 1);
        if (!s) {
            cli_errmsg("pdf_readstring: Unable to allocate buffer\n");
            return NULL;
        }

        end = start + len;
        if (noescape) {
            memcpy(s0, start, len);
            s = s0 + len;
        } else {
            for (q = start; q < end; q++) {
                if (*q != '\\') {
                    *s++ = *q;
                } else {
                    q++;
                    switch (*q) {
                        case 'n':
                            *s++ = '\n';
                            break;
                        case 'r':
                            *s++ = '\r';
                            break;
                        case 't':
                            *s++ = '\t';
                            break;
                        case 'b':
                            *s++ = '\b';
                            break;
                        case 'f':
                            *s++ = '\f';
                            break;
                        case '(': /* fall-through */
                        case ')': /* fall-through */
                        case '\\':
                            *s++ = *q;
                            break;
                        case '\n':
                            /* ignore */
                            break;
                        case '\r':
                            /* ignore */
                            if (q + 1 < end && q[1] == '\n')
                                q++;
                            break;
                        case '0':
                        case '1':
                        case '2':
                        case '3':
                        case '4':
                        case '5':
                        case '6':
                        case '7':
                        case '8':
                        case '9':
                            /* octal escape */
                            if (q + 2 < end) {
                                *s++ = 64 * (q[0] - '0') + 8 * (q[1] - '0') + (q[2] - '0');
                                q += 2;
                            }
                            break;
                        default:
                            /* ignore */
                            *s++ = '\\';
                            q--;
                            break;
                    }
                }
            }
        }

        *s++ = '\0';
        if (slen)
            *slen = s - s0 - 1;

        return s0;
    }

    if ((*q == '<') && (len >= 3)) {
        start = ++q;
        len -= 1;
        // skip newlines after <
        while (len > 0 && *start == '\n') {
            start = ++q;
            len -= 1;
        }
        q = memchr(q + 1, '>', len - 1);
        if (!q)
            return NULL;

        if (qend)
            *qend = q;

        s = cli_max_malloc((q - start) / 2 + 1);
        if (s == NULL) { /* oops, couldn't allocate memory */
            cli_dbgmsg("pdf_readstring: unable to allocate memory...\n");
            return NULL;
        }

        if (cli_hex2str_to(start, s, q - start)) {
            cli_dbgmsg("pdf_readstring: %s has bad hex value\n", key);
            free(s);
            return NULL;
        }

        s[(q - start) / 2] = '\0';
        if (slen)
            *slen = (q - start) / 2;

        return s;
    }

    cli_dbgmsg("pdf_readstring: %s is invalid string in dict\n", key);
    return NULL;
}

static char *pdf_readval(const char *q, int len, const char *key)
{
    const char *end;
    char *s;
    int origlen = len;

    q = pdf_getdict(q, &len, key);
    if (!q || len <= 0)
        return NULL;

    while (len > 0 && *q && *q == ' ') {
        q++;
        len--;
    }

    if (*q != '/')
        return NULL;

    q++;
    len--;
    end = q;

    while (len > 0 && *end && !(*end == '/' || (len > 1 && end[0] == '>' && end[1] == '>'))) {
        end++;
        len--;
    }

    /* end-of-buffer whitespace trimming */
    while (len < origlen && isspace(*(end - 1))) {
        end--;
        len++;
    }

    s = cli_max_malloc(end - q + 1);
    if (!s)
        return NULL;

    memcpy(s, q, end - q);
    s[end - q] = '\0';

    return s;
}

static int pdf_readint(const char *q0, int len, const char *key)
{
    long value    = 0;
    const char *q = pdf_getdict(q0, &len, key);

    if (q == NULL) {
        value = -1;
    } else if (CL_SUCCESS != cli_strntol_wrap(q, (size_t)len, 0, 10, &value)) {
        value = -1;
    }
    return value;
}

static int pdf_readbool(const char *q0, int len, const char *key, int Default)
{
    const char *q = pdf_getdict(q0, &len, key);

    if (!q || len < 5)
        return Default;

    if (!strncmp(q, "true", 4))
        return 1;

    if (!strncmp(q, "false", 5))
        return 0;

    cli_dbgmsg("pdf_readbool: invalid value for %s bool\n", key);

    return Default;
}

static const char *key_padding =
    "\x28\xBF\x4E\x5E\x4E\x75\x8A\x41\x64\x00\x4e\x56\xff\xfa\x01\x08"
    "\x2e\x2e\x00\xB6\xD0\x68\x3E\x80\x2F\x0C\xA9\xFE\x64\x53\x69\x7A";

static void dbg_printhex(const char *msg, const char *hex, unsigned len)
{
    if (cli_debug_flag) {
        char *kh = cli_str2hex(hex, len);

        cli_dbgmsg("cli_pdf: %s: %s\n", msg, kh);

        free(kh);
    }
}

/**
 * @brief Compute the hash of the password concatenated with the validation salt and (for owner-password checks) the U string.
 *
 * Some details and comments for how to compute this hash comes from the PyPDF project:
 * https://github.com/py-pdf/pypdf/blob/3.17.4/pypdf/_encryption.py#L568
 *
 * @param password  The password to hash.
 * @param pwlen     The length of the password.
 * @param salt      The validation salt.
 * @param hash      The resulting hash.
 * @param U         [Optional] The U string (for owner-password checks).
 */
static void compute_hash_r6(const char *password, size_t pwlen, const unsigned char salt[16], unsigned char hash[32], const char *U)
{
    unsigned char data[(128 + 64 + 48) * 64];
    unsigned char block[64];
    int32_t block_size = 32;
    size_t in_data_len = 0, out_data_len;
    int32_t i, j, sum;
    uint8_t sha2_256[32], sha2_384[48], sha2_512[64];

    /*
     * Compute a SHA-256 hash of the UTF-8 password concatenated with the 8 bytes of the owner or user validation salt.
     */
    memcpy(data, password, pwlen);
    memcpy(data + pwlen, salt, 8);

    if (NULL != U) {
        // If it's for the owner password check, we also concatenate the 48-byte U string.
        memcpy(data + pwlen + 8, U, 48);

        cl_sha256(data, pwlen + 8 + 48, block, NULL);
    } else {
        cl_sha256(data, pwlen + 8, block, NULL);
    }

    for (i = 0; i < 64 || i < (data[(in_data_len * 64) - 1] + 32); i++) {
        memcpy(data, password, pwlen);
        memcpy(data + pwlen, block, block_size);

        in_data_len = pwlen + block_size;

        if (NULL != U) {
            // If it's for the owner password check, we also concatenate the 48-byte U string.
            memcpy(data + pwlen + block_size, U, 48);
            in_data_len += 48;
        }

        for (j = 1; j < 64; j++)
            memcpy(data + j * in_data_len, data, in_data_len);

        aes_128cbc_encrypt(data, in_data_len * 64, data, &out_data_len, block, 16, block + 16);

        for (j = 0, sum = 0; j < 16; j++)
            sum += data[j];

        block_size = 32 + (sum % 3) * 16;
        switch (block_size) {
            case 32:
                cl_sha256(data, in_data_len * 64, sha2_256, NULL);
                memcpy(block, sha2_256, 32);
                break;

            case 48:
                cl_sha384(data, in_data_len * 64, sha2_384, NULL);
                memcpy(block, sha2_384, 48);
                break;

            case 64:
                cl_sha512(data, in_data_len * 64, sha2_512, NULL);
                memcpy(block, sha2_512, 64);
                break;
        }
    }

    memcpy(hash, block, 32);
}

/**
 * @brief Check if the owner password matches an empty password.
 *
 * Will set the DECRYPTABLE_PDF flag if the owner password is empty.
 * Will also set the key and keylen fields in the pdf_struct.
 *
 * Some details and comments for how to check the owner password comes from the PyPDF project:
 * https://github.com/py-pdf/pypdf/blob/3.17.4/pypdf/_encryption.py#L397
 *
 * @param pdf       The PDF context.
 * @param R         The encryption version.
 * @param O         The /O string.
 * @param U         The /U string.
 * @param OE        The /OE string.
 * @param OE_len    The length of the /OE string.
 */
static void check_owner_password(struct pdf_struct *pdf, int R,
                                 const char *O, const char *U,
                                 const char *OE, size_t OE_len)
{
    bool password_empty = false;

    dbg_printhex("U: ", U, 32);
    dbg_printhex("O: ", O, 32);

    switch (R) {
        case 6: {
            unsigned char hash[32], validationkey[32];

            size_t pwlen    = 0;
            char password[] = "";

            if (NULL == OE) {
                cli_dbgmsg("check_owner_password: Missing OE value!\n");
                noisy_warnmsg("check_owner_password: Missing OE value!\n");
                goto done;
            }

            dbg_printhex("OE: ", OE, OE_len);

            /*
             * Test the password against the owner key by computing the SHA-256 hash of the UTF-8 password concatenated
             * with the 8 bytes of owner validation salt, concatenated with the 48-byte U string.
             */
            compute_hash_r6(
                password,
                pwlen,
                (const unsigned char *)(O + 32), // owner validation salt
                validationkey,
                U);

            /* If the 32-byte result matches the first 32 bytes of the O string, this is the owner password. */
            if (0 != memcmp(O, validationkey, sizeof(validationkey))) {
                cli_dbgmsg("check_owner_password: Owner password check did not match!\n");
                break;
            }

            /*
             * Compute an intermediate owner key by computing the SHA-256 hash of the UTF-8 password concatenated with
             * the 8 bytes of owner key salt, concatenated with the 48-byte U string.
             */
            compute_hash_r6(
                password,
                pwlen,
                (const unsigned char *)(O + 40), // owner key salt
                hash,
                U);

            if (OE_len != 32) {
                cli_dbgmsg("check_owner_password: OE length is not 32: %zu\n", OE_len);
                noisy_warnmsg("check_owner_password: OE length is not 32: %zu\n", OE_len);
            } else {
                pdf->keylen = 32;
                pdf->key    = cli_max_malloc(pdf->keylen);
                if (!pdf->key) {
                    cli_errmsg("check_owner_password: Cannot allocate memory for pdf->key\n");
                    goto done;
                }

                aes_256cbc_decrypt((const unsigned char *)OE, &OE_len, (unsigned char *)(pdf->key), (char *)hash, 32, 0);
                dbg_printhex("check_owner_password: Candidate encryption key", pdf->key, pdf->keylen);

                password_empty = true;
            }

            break;
        }
        default: {
            cli_dbgmsg("check_owner_password: Unknown or unsupported encryption version. R: %d\n", R);
            noisy_warnmsg("check_owner_password: Unknown or unsupported encryption version. R: %d\n", R);
        }
    }

    if (password_empty) {
        /* The key we computed above is the key used to encrypt the streams. We could decrypt it now if we wanted to */
        pdf->flags |= 1 << DECRYPTABLE_PDF;

        cli_dbgmsg("check_owner_password: encrypted PDF found, owner password is empty, will attempt to decrypt\n");
        noisy_msg(pdf, "check_owner_password: encrypted PDF found, owner password is empty, will attempt to decrypt\n");
    } else {
        /* The key is not valid, we would need the user or the owner password to decrypt */
        cli_dbgmsg("check_owner_password: encrypted PDF found but cannot decrypt with empty owner password\n");
        noisy_warnmsg("check_owner_password: encrypted PDF found but cannot decrypt with empty owner password\n");
    }

done:

    return;
}

static void check_user_password(struct pdf_struct *pdf, int R, const char *O,
                                const char *U, int32_t P, int EM,
                                const char *UE, size_t UE_len,
                                unsigned length)
{
    unsigned i;
    uint8_t result[16];
    char data[32];
    struct arc4_state arc4;
    bool password_empty = false;

    dbg_printhex("U: ", U, 32);
    dbg_printhex("O: ", O, 32);

    switch (R) {
        case 2:
        case 3:
        case 4: {
            unsigned char *d;
            size_t sz = 68 + pdf->fileIDlen + (R >= 4 && !EM ? 4 : 0);
            d         = calloc(1, sz);

            if (!(d))
                goto done;

            memcpy(d, key_padding, 32);
            memcpy(d + 32, O, 32);
            P = le32_to_host(P);
            memcpy(d + 64, &P, 4);
            memcpy(d + 68, pdf->fileID, pdf->fileIDlen);

            /* 7.6.3.3 Algorithm 2 */
            /* empty password, password == padding */
            if (R >= 4 && !EM) {
                uint32_t v = 0xFFFFFFFF;
                memcpy(d + 68 + pdf->fileIDlen, &v, 4);
            }

            cl_hash_data("md5", d, sz, result, NULL);
            free(d);
            if (length > 128)
                length = 128;
            if (R >= 3) {
                /* Yes, this really is on purpose */
                for (i = 0; i < 50; i++)
                    cl_hash_data("md5", result, length / 8, result, NULL);
            }
            if (R == 2)
                length = 40;

            pdf->keylen = length / 8;
            pdf->key    = cli_max_malloc(pdf->keylen);
            if (!pdf->key)
                goto done;

            memcpy(pdf->key, result, pdf->keylen);
            dbg_printhex("md5", (const char *)result, 16);
            dbg_printhex("Candidate encryption key", pdf->key, pdf->keylen);

            /* 7.6.3.3 Algorithm 6 */
            if (R == 2) {
                /* 7.6.3.3 Algorithm 4 */
                memcpy(data, key_padding, 32);
                if (false == arc4_init(&arc4, (const uint8_t *)(pdf->key), pdf->keylen)) {
                    noisy_warnmsg("check_user_password: failed to init arc4\n");
                    goto done;
                }
                arc4_apply(&arc4, (uint8_t *)data, 32);
                dbg_printhex("computed U (R2)", data, 32);
                if (!memcmp(data, U, 32))
                    password_empty = true;
            } else {
                // R is 3 or 4
                unsigned len = pdf->keylen;
                unsigned char *d;

                d = calloc(1, 32 + pdf->fileIDlen);
                if (!(d))
                    goto done;

                /* 7.6.3.3 Algorithm 5 */
                memcpy(d, key_padding, 32);
                memcpy(d + 32, pdf->fileID, pdf->fileIDlen);
                cl_hash_data("md5", d, 32 + pdf->fileIDlen, result, NULL);
                memcpy(data, pdf->key, len);

                if (false == arc4_init(&arc4, (const uint8_t *)data, len)) {
                    noisy_warnmsg("check_user_password: failed to init arc4\n");
                    goto done;
                }
                arc4_apply(&arc4, result, 16);
                for (i = 1; i <= 19; i++) {
                    unsigned j;

                    for (j = 0; j < len; j++)
                        data[j] = pdf->key[j] ^ i;

                    if (false == arc4_init(&arc4, (const uint8_t *)data, len)) {
                        noisy_warnmsg("check_user_password: failed to init arc4\n");
                        goto done;
                    }
                    arc4_apply(&arc4, result, 16);
                }

                dbg_printhex("fileID", pdf->fileID, pdf->fileIDlen);
                dbg_printhex("computed U (R>=3)", (const char *)result, 16);
                if (!memcmp(result, U, 16))
                    password_empty = true;
                free(d);
            }

            break;
        }
        case 5: {
            uint8_t result2[32];

            /* supplement to ISO3200, 3.5.2 Algorithm 3.11 */
            /* user validation salt */
            cl_sha256(U + 32, 8, result2, NULL);
            dbg_printhex("Computed U", (const char *)result2, 32);
            if (!memcmp(result2, U, 32)) {
                /* Algorithm 3.2a could be used to recover encryption key */
                cl_sha256(U + 40, 8, result2, NULL);

                if (UE_len != 32) {
                    cli_dbgmsg("check_user_password: UE length is not 32: %zu\n", UE_len);
                    noisy_warnmsg("check_user_password: UE length is not 32: %zu\n", UE_len);
                } else {
                    pdf->keylen = 32;
                    pdf->key    = cli_max_malloc(pdf->keylen);
                    if (!pdf->key) {
                        cli_errmsg("check_user_password: Cannot allocate memory for pdf->key\n");
                        goto done;
                    }

                    aes_256cbc_decrypt((const unsigned char *)UE, &UE_len, (unsigned char *)(pdf->key), (char *)result2, 32, 0);
                    dbg_printhex("check_user_password: Candidate encryption key", pdf->key, pdf->keylen);

                    password_empty = true;
                }
            }

            break;
        }
        case 6: {
            unsigned char hash[32], validationkey[32];

            size_t pwlen    = 0;
            char password[] = "";

            if (NULL == UE) {
                cli_dbgmsg("check_user_password: Missing UE value!\n");
                noisy_warnmsg("check_user_password: Missing UE value!\n");
                goto done;
            }

            dbg_printhex("UE: ", UE, UE_len);

            /*
             * Test the password against the user key by computing the SHA-256 hash of the UTF-8 password concatenated
             * with the 8 bytes of user validation salt.
             */
            compute_hash_r6(
                password,
                pwlen,
                (const unsigned char *)(U + 32), // user validation salt
                validationkey,
                NULL); // no U string for user password check

            /* If the 32-byte result matches the first 32 bytes of the U string, this is the user password. */
            if (0 != memcmp(U, validationkey, sizeof(validationkey))) {
                cli_dbgmsg("check_user_password: User password check did not match!\n");
                break;
            }

            /*
             * Compute an intermediate user key by computing the SHA-256 hash of the UTF-8 password concatenated with
             * the 8 bytes of user key salt.
             */
            compute_hash_r6(
                password,
                pwlen,
                (const unsigned char *)(U + 40), // user key salt
                hash,
                NULL); // no U string for user password check

            if (UE_len != 32) {
                cli_dbgmsg("check_user_password: UE length is not 32: %zu\n", UE_len);
                noisy_warnmsg("check_user_password: UE length is not 32: %zu\n", UE_len);
            } else {
                pdf->keylen = 32;
                pdf->key    = cli_max_malloc(pdf->keylen);
                if (!pdf->key) {
                    cli_errmsg("check_user_password: Cannot allocate memory for pdf->key\n");
                    goto done;
                }

                aes_256cbc_decrypt((const unsigned char *)UE, &UE_len, (unsigned char *)(pdf->key), (char *)hash, 32, 0);
                dbg_printhex("check_user_password: Candidate encryption key", pdf->key, pdf->keylen);

                password_empty = true;
            }

            break;
        }
        default: {
            /* Supported R is in {2,3,4,5} */
            cli_dbgmsg("check_user_password: R value out of range\n");
            noisy_warnmsg("check_user_password: R value out of range\n");
        }
    }

    if (password_empty) {
        cli_dbgmsg("check_user_password: user password is empty\n");
        noisy_msg(pdf, "check_user_password: encrypted PDF found, user password is empty, will attempt to decrypt\n");
        /* The key we computed above is the key used to encrypt the streams.
         * We could decrypt it now if we wanted to */
        pdf->flags |= 1 << DECRYPTABLE_PDF;
    } else {
        /* the key is not valid, we would need the user or the owner password to decrypt */
        cli_dbgmsg("check_user_password: user/owner password would be required for decryption\n");
        noisy_warnmsg("check_user_password: encrypted PDF found, user password is NOT empty, cannot decrypt!\n");
    }

done:
    return;
}

enum enc_method parse_enc_method(const char *dict, unsigned len, const char *key, enum enc_method def)
{
    const char *q;
    char *CFM           = NULL;
    enum enc_method ret = ENC_UNKNOWN;

    if (!key)
        return def;

    if (!strcmp(key, "Identity"))
        return ENC_IDENTITY;

    q = pdf_getdict(dict, (int *)(&len), key);
    if (!q)
        return def;

    CFM = pdf_readval(q, len, "/CFM");
    if (CFM) {
        cli_dbgmsg("parse_enc_method: %s CFM: %s\n", key, CFM);
        if (!strncmp(CFM, "V2", 2))
            ret = ENC_V2;
        else if (!strncmp(CFM, "AESV2", 5))
            ret = ENC_AESV2;
        else if (!strncmp(CFM, "AESV3", 5))
            ret = ENC_AESV3;
        else if (!strncmp(CFM, "None", 4))
            ret = ENC_NONE;

        free(CFM);
    }

    return ret;
}

void pdf_handle_enc(struct pdf_struct *pdf)
{
    struct pdf_obj *obj;
    uint32_t len, n, R, P, length, EM = 1, i, oulen;

    char *O       = NULL;
    char *OE      = NULL;
    size_t OE_len = 0;

    char *U       = NULL;
    char *UE      = NULL;
    size_t UE_len = 0;

    char *StmF = NULL;
    char *StrF = NULL;
    char *EFF  = NULL;

    const char *q, *q2;

    if (pdf->enc_objid == ~0u)
        return;
    if (!pdf->fileID) {
        cli_dbgmsg("pdf_handle_enc: no file ID\n");
        noisy_warnmsg("pdf_handle_enc: no file ID\n");
        return;
    }

    obj = find_obj(pdf, pdf->objs[0], pdf->enc_objid);
    if (!obj) {
        cli_dbgmsg("pdf_handle_enc: can't find encryption object %d %d\n", pdf->enc_objid >> 8, pdf->enc_objid & 0xff);
        noisy_warnmsg("pdf_handle_enc: can't find encryption object %d %d\n", pdf->enc_objid >> 8, pdf->enc_objid & 0xff);
        return;
    }

    len = obj->size;

    if (NULL == obj->objstm) {
        q = (const char *)(obj->start + pdf->map);

        if (!CLI_ISCONTAINED(pdf->map, pdf->size, q, len)) {
            cli_dbgmsg("pdf_handle_enc: encryption object found, but not contained in PDF\n");
            noisy_warnmsg("pdf_handle_enc: encryption object found, but not contained in PDF\n");
            return;
        }
    } else {
        q = (const char *)(obj->start + obj->objstm->streambuf);

        if (!CLI_ISCONTAINED(obj->objstm->streambuf, obj->objstm->streambuf_len, q, len)) {
            cli_dbgmsg("pdf_handle_enc: encryption object found, but not contained in PDF streambuf\n");
            noisy_warnmsg("pdf_handle_enc: encryption object found, but not contained in PDF streambuf\n");
            return;
        }
    }

    O = U = UE = StmF = StrF = EFF = NULL;

    pdf->enc_method_string       = ENC_UNKNOWN;
    pdf->enc_method_stream       = ENC_UNKNOWN;
    pdf->enc_method_embeddedfile = ENC_UNKNOWN;

    q2 = cli_memstr(q, len, "/Standard", 9);
    if (!q2) {
        cli_dbgmsg("pdf_handle_enc: /Standard not found\n");
        noisy_warnmsg("pdf_handle_enc: /Standard not found\n");
        goto done;
    }

    /* we can have both of these:
     * /AESV2/Length /Standard/Length
     * /Length /Standard
     * make sure we don't mistake AES's length for Standard's */
    length = pdf_readint(q2, len - (q2 - q), "/Length");
    if (length == ~0u)
        length = pdf_readint(q, len, "/Length");

    if (length < 40) {
        cli_dbgmsg("pdf_handle_enc: invalid length: %d\n", length);
        length = 40;
    }

    R = pdf_readint(q, len, "/R");
    if (R == ~0u) {
        cli_dbgmsg("pdf_handle_enc: invalid R\n");
        noisy_warnmsg("pdf_handle_enc: invalid R\n");
        goto done;
    }

    if ((R > 6) || (R < 2)) {
        cli_dbgmsg("pdf_handle_enc: R value outside supported range [2..6]\n");
        noisy_warnmsg("pdf_handle_enc: R value outside supported range [2..6]\n");
        goto done;
    }

    P = pdf_readint(q, len, "/P");
    if (R < 6) { // P field doesn't seem to be required for R6.
        if (P == ~0u) {
            cli_dbgmsg("pdf_handle_enc: invalid P\n");
            noisy_warnmsg("pdf_handle_enc: invalid P\n");
            goto done;
        }
    }

    if (R < 5) {
        oulen = 32;
    } else {
        oulen = 48;
    }

    if (R == 2 || R == 3) {
        pdf->enc_method_stream       = ENC_V2;
        pdf->enc_method_string       = ENC_V2;
        pdf->enc_method_embeddedfile = ENC_V2;
    } else if (R == 4 || R == 5 || R == 6) {
        EM        = pdf_readbool(q, len, "/EncryptMetadata", 1);
        StmF      = pdf_readval(q, len, "/StmF");
        StrF      = pdf_readval(q, len, "/StrF");
        EFF       = pdf_readval(q, len, "/EFF");
        n         = len;
        pdf->CF   = pdf_getdict(q, (int *)(&n), "/CF");
        pdf->CF_n = n;

        if (StmF) {
            cli_dbgmsg("pdf_handle_enc: StmF: %s\n", StmF);
        }
        if (StrF) {
            cli_dbgmsg("pdf_handle_enc: StrF: %s\n", StrF);
        }
        if (EFF) {
            cli_dbgmsg("pdf_handle_enc: EFF: %s\n", EFF);
        }

        pdf->enc_method_stream       = parse_enc_method(pdf->CF, n, StmF, ENC_IDENTITY);
        pdf->enc_method_string       = parse_enc_method(pdf->CF, n, StrF, ENC_IDENTITY);
        pdf->enc_method_embeddedfile = parse_enc_method(pdf->CF, n, EFF, pdf->enc_method_stream);

        cli_dbgmsg("pdf_handle_enc: EncryptMetadata: %s\n", EM ? "true" : "false");

        if (R == 4) {
            length = 128;
        } else {
            length = 256;

            /*
             * Read the UE value (for checking user-password)
             */
            n      = 0;
            UE     = pdf_readstring(q, len, "/UE", &n, NULL, false);
            UE_len = n;

            /*
             * Read the OE value (for checking owner-password)
             */
            n      = 0;
            OE     = pdf_readstring(q, len, "/OE", &n, NULL, false);
            OE_len = n;
        }
    }

    if (length == ~0u)
        length = 40;

    /*
     * Read the O value
     */
    n = 0;
    O = pdf_readstring(q, len, "/O", &n, NULL, false);
    if (!O || n < oulen) {
        cli_dbgmsg("pdf_handle_enc: invalid O: %d\n", n);
        noisy_warnmsg("pdf_handle_enc: invalid O: %d\n", n);
        if (O) {
            dbg_printhex("invalid O", O, n);
        }

        goto done;
    }
    if (n > oulen) {
        for (i = oulen; i < n; i++) {
            if (O[i]) {
                dbg_printhex("pdf_handle_enc: too long O", O, n);
                noisy_warnmsg("pdf_handle_enc: too long O: %u", n);
                goto done;
            }
        }
    }

    /*
     * Read the U value
     */
    n = 0;
    U = pdf_readstring(q, len, "/U", &n, NULL, false);
    if (!U || n < oulen) {
        cli_dbgmsg("pdf_handle_enc: invalid U: %u\n", n);
        noisy_warnmsg("pdf_handle_enc: invalid U: %u\n", n);
        if (U) {
            dbg_printhex("invalid U", U, n);
        }

        goto done;
    }

    if (n > oulen) {
        for (i = oulen; i < n; i++) {
            if (U[i]) {
                dbg_printhex("too long U", U, n);
                goto done;
            }
        }
    }

    cli_dbgmsg("pdf_handle_enc: Encrypt R: %d, P %x, length: %u\n", R, P, length);
    if (length % 8) {
        cli_dbgmsg("pdf_handle_enc: wrong key length, not multiple of 8\n");
        noisy_warnmsg("pdf_handle_enc: wrong key length, not multiple of 8\n");
        goto done;
    }

    // Check the owner password.
    check_owner_password(pdf, R, O, U, OE, OE_len);

    if (NULL == pdf->key) {
        // Wasn't the owner password, let's try the user password.
        check_user_password(pdf, R, O, U, P, EM, UE, UE_len, length);
    }

done:
    free(O);
    free(OE);

    free(U);
    free(UE);

    free(StmF);
    free(StrF);
    free(EFF);
}

/**
 * @brief Search pdf buffer for objects.  Parse each.
 *
 * Newly found objects will be extracted after completion when the extraction for loop continues.
 *
 * @param pdf           Pdf struct that keeps track of all information found in the PDF.
 * @param objstm        Pointer to an object stream to parse.
 *
 * @return cl_error_t   Error code.
 */
cl_error_t pdf_find_and_parse_objs_in_objstm(struct pdf_struct *pdf, struct objstm_struct *objstm)
{
    cl_error_t status   = CL_EFORMAT;
    cl_error_t retval   = CL_EPARSE;
    uint32_t badobjects = 0;
    size_t i            = 0;

    struct pdf_obj *obj = NULL;

    if ((NULL == objstm) || (NULL == objstm->streambuf)) {
        status = CL_EARG;
        goto done;
    }

    if ((0 == objstm->first) ||
        (0 == objstm->streambuf_len) ||
        (0 == objstm->n)) {
        cli_dbgmsg("pdf_find_and_parse_objs_in_objstm: Empty object stream.\n");
        goto done;
    }

    if (objstm->first >= objstm->streambuf_len) {
        cli_dbgmsg("pdf_find_and_parse_objs_in_objstm: Invalid objstm values. Offset of first obj greater than stream length.\n");
        goto done;
    }

    /* Process each object */
    for (i = 0; i < objstm->n; i++) {
        obj = NULL;

        if (cli_checktimelimit(pdf->ctx) != CL_SUCCESS) {
            cli_dbgmsg("Timeout reached in the PDF parser while parsing object stream.\n");
            status = CL_ETIMEOUT;
            goto done;
        }

        /* Find object */
        retval = pdf_findobj_in_objstm(pdf, objstm, &obj);
        if (retval != CL_SUCCESS) {
            if (retval != CL_BREAK) {
                cli_dbgmsg("pdf_find_and_parse_objs_in_objstm: Fewer objects in stream than expected: %zu found, %zu expected.\n",
                           objstm->nobjs_found, objstm->n);
                badobjects++;
                pdf->stats.ninvalidobjs++;
            }
            break;
        }

        cli_dbgmsg("pdf_find_and_parse_objs_in_objstm: Found object %u %u in object stream at offset: %u\n", obj->id >> 8, obj->id & 0xff, obj->start);

        if (cli_checktimelimit(pdf->ctx) != CL_SUCCESS) {
            cli_dbgmsg("Timeout reached in the PDF parser while parsing object stream.\n");
            status = CL_ETIMEOUT;
            goto done;
        }

        /* Parse object */
        pdf_parseobj(pdf, obj);
    }

    if (badobjects) {
        status = CL_EFORMAT;
        goto done;
    }

    status = CL_SUCCESS;

done:
    return status;
}

/**
 * @brief Search pdf buffer for objects.  Parse each and then extract each.
 *
 * @param pdf               Pdf struct that keeps track of all information found in the PDF.
 *
 * @return cl_error_t       Error code.
 */
static cl_error_t pdf_find_and_extract_objs(struct pdf_struct *pdf)
{
    cl_error_t status   = CL_SUCCESS;
    int32_t rv          = 0;
    unsigned int i      = 0;
    uint32_t badobjects = 0;
    cli_ctx *ctx        = NULL;

    if (NULL == pdf) {
        cli_errmsg("pdf_find_and_extract_objs: Invalid arguments.\n");
        status = CL_EARG;
        goto done;
    }

    ctx = pdf->ctx;

    /* parse PDF and find obj offsets */
    while (CL_BREAK != (rv = pdf_findobj(pdf))) {
        if (rv == CL_EMEM) {
            cli_errmsg("pdf_find_and_extract_objs: Memory allocation error.\n");
            status = CL_EMEM;
            goto done;
        }
    }

    /* must parse after finding all objs, so we can flag indirect objects */
    for (i = 0; i < pdf->nobjs; i++) {
        struct pdf_obj *obj = pdf->objs[i];

        if (cli_checktimelimit(pdf->ctx) != CL_SUCCESS) {
            cli_dbgmsg("pdf_find_and_extract_objs: Timeout reached in the PDF parser while parsing objects.\n");

            status = CL_ETIMEOUT;
            goto done;
        }

        pdf_parseobj(pdf, obj);
    }

    pdf_handle_enc(pdf);
    if (pdf->flags & (1 << ENCRYPTED_PDF))
        cli_dbgmsg("pdf_find_and_extract_objs: encrypted pdf found, %s!\n",
                   (pdf->flags & (1 << DECRYPTABLE_PDF)) ? "decryptable" : "not decryptable, stream will probably fail to decompress");

    if (SCAN_HEURISTIC_ENCRYPTED_DOC &&
        (pdf->flags & (1 << ENCRYPTED_PDF)) &&
        !(pdf->flags & (1 << DECRYPTABLE_PDF))) {
        /* It is encrypted, and a password/key needs to be supplied to decrypt.
         * This doesn't trigger for PDFs that are encrypted but don't need
         * a password to decrypt */
        status = cli_append_potentially_unwanted(pdf->ctx, "Heuristics.Encrypted.PDF");
    }

    if (CL_SUCCESS == status) {
        status = run_pdf_hooks(pdf, PDF_PHASE_PARSED, -1, NULL);
        cli_dbgmsg("pdf_find_and_extract_objs: (parsed hooks) returned %d\n", status);
    }

    if (CL_SUCCESS == status) {
        /* extract PDF objs */
        for (i = 0; !status && i < pdf->nobjs; i++) {
            struct pdf_obj *obj = pdf->objs[i];

            if (cli_checktimelimit(pdf->ctx) != CL_SUCCESS) {
                cli_dbgmsg("pdf_find_and_extract_objs: Timeout reached in the PDF parser while extracting objects.\n");

                status = CL_ETIMEOUT;
                goto done;
            }

            pdf->parse_recursion_depth++;
            status = pdf_extract_obj(pdf, obj, PDF_EXTRACT_OBJ_SCAN);
            pdf->parse_recursion_depth--;
            switch (status) {
                case CL_EFORMAT:
                    /* Don't halt on one bad object */
                    cli_dbgmsg("pdf_find_and_extract_objs: Format error when extracting object, skipping to the next object.\n");
                    badobjects++;
                    pdf->stats.ninvalidobjs++;
                    status = CL_CLEAN;
                    break;
                case CL_VIRUS:
                    break;
                default:
                    break;
            }
        }
    }

done:
    if ((CL_SUCCESS == status) && badobjects) {
        status = CL_EFORMAT;
    }

    return status;
}

/**
 * @brief Primary function for parsing and scanning a PDF.
 *
 * @param dir       Filepath for temp file.
 * @param ctx       clam scan context structure.
 * @param offset    offset of pdf in ctx->fmap
 *
 * @return int      Returns cl_error_t status value.
 */
cl_error_t cli_pdf(const char *dir, cli_ctx *ctx, off_t offset)
{
    cl_error_t rc = CL_SUCCESS;
    struct pdf_struct pdf;
    fmap_t *map   = ctx->fmap;
    size_t size   = map->len - offset;
    off_t versize = size > 1032 ? 1032 : size;
    off_t map_off, bytesleft;
    unsigned long xref;
    long temp_long;
    const char *pdfver, *tmp, *start, *eofmap, *q, *eof;
    unsigned i;
    unsigned int objs_found = 0;

    json_object *pdfobj = NULL;
    char *begin, *end, *p1;

    cli_dbgmsg("in cli_pdf(%s)\n", dir);
    memset(&pdf, 0, sizeof(pdf));
    pdf.ctx       = ctx;
    pdf.dir       = dir;
    pdf.enc_objid = ~0u;

    pdfver = start = fmap_need_off_once(map, offset, versize);

    /* Check PDF version */
    if (!pdfver) {
        cli_errmsg("cli_pdf: mmap() failed (1)\n");
        rc = CL_EMAP;
        goto done;
    }

    if (ctx->this_layer_metadata_json)
        pdfobj = cli_jsonobj(ctx->this_layer_metadata_json, "PDFStats");

    /* offset is 0 when coming from filetype2 */
    tmp = cli_memstr(pdfver, versize, "%PDF-", 5);
    if (!tmp) {
        cli_dbgmsg("cli_pdf: no PDF- header found\n");
        noisy_warnmsg("cli_pdf: no PDF- header found\n");

        rc = CL_SUCCESS;
        goto done;
    }

    versize -= tmp - pdfver;
    pdfver = tmp;

    if (versize < 8) {
        rc = CL_EFORMAT;
        goto done;
    }

    /* Check for PDF-1.[0-9]. Although 1.7 is highest now, allow for future versions */
    if (pdfver[5] != '1' || pdfver[6] != '.' ||
        pdfver[7] < '1' || pdfver[7] > '9') {
        pdf.flags |= 1 << BAD_PDF_VERSION;
        cli_dbgmsg("cli_pdf: bad pdf version: %.8s\n", pdfver);

        if (pdfobj)
            cli_jsonbool(pdfobj, "BadVersion", 1);
    } else {
        if (pdfobj) {
            begin = (char *)(pdfver + 5);
            end   = begin + 2;
            strtoul(end, &end, 10);
            p1 = cli_max_calloc((end - begin) + 2, 1);
            if (p1) {
                strncpy(p1, begin, end - begin);
                p1[end - begin] = '\0';
                cli_jsonstr(pdfobj, "PDFVersion", p1);
                free(p1);
            }
        }
    }

    if (pdfver != start || offset) {
        pdf.flags |= 1 << BAD_PDF_HEADERPOS;
        cli_dbgmsg("cli_pdf: PDF header is not at position 0: %lld\n", (long long)(pdfver - start + offset));

        if (pdfobj)
            cli_jsonbool(pdfobj, "BadVersionLocation", 1);
    }

    offset += pdfver - start;

    /* find trailer and xref, don't fail if not found */
    map_off = (off_t)map->len - 2048;
    if (map_off < 0)
        map_off = 0;

    bytesleft = map->len - map_off;

    eofmap = fmap_need_off_once(map, map_off, bytesleft);
    if (!eofmap) {
        cli_errmsg("cli_pdf: mmap() failed (2)\n");

        rc = CL_EMAP;
        goto done;
    }

    eof = eofmap + bytesleft;
    for (q = &eofmap[bytesleft - 5]; q > eofmap; q--) {
        if (memcmp(q, "%%EOF", 5) == 0)
            break;
    }

    if (q <= eofmap) {
        pdf.flags |= 1 << BAD_PDF_TRAILER;
        cli_dbgmsg("cli_pdf: %%%%EOF not found\n");

        if (pdfobj)
            cli_jsonbool(pdfobj, "NoEOF", 1);
    } else {
        const char *t;

        /*size = q - eofmap + map_off;*/
        q -= 9;
        for (; q > eofmap; q--) {
            if (memcmp(q, "startxref", 9) == 0)
                break;
        }

        if (q <= eofmap) {
            pdf.flags |= 1 << BAD_PDF_TRAILER;
            cli_dbgmsg("cli_pdf: startxref not found\n");

            if (pdfobj)
                cli_jsonbool(pdfobj, "NoXREF", 1);
        } else {
            for (t = q; t > eofmap; t--) {
                if (memcmp(t, "trailer", 7) == 0)
                    break;
            }

            pdf_parse_trailer(&pdf, eofmap, eof - eofmap);
            q += 9;

            while (q < eof && (*q == ' ' || *q == '\n' || *q == '\r')) {
                q++;
            }

            if (CL_SUCCESS != cli_strntol_wrap(q, q - eofmap + map_off, 0, 10, &temp_long)) {
                cli_dbgmsg("cli_pdf: failed to parse PDF trailer xref\n");
                pdf.flags |= 1 << BAD_PDF_TRAILER;
            } else if (temp_long < 0) {
                cli_dbgmsg("cli_pdf: Encountered invalid negative PDF trailer xref (%ld).\n", temp_long);
                pdf.flags |= 1 << BAD_PDF_TRAILER;
            } else {
                xref      = (unsigned long)temp_long;
                bytesleft = map->len - offset - xref;
                if (bytesleft > 4096)
                    bytesleft = 4096;

                q = fmap_need_off_once(map, offset + xref, bytesleft);
                if (!q || xrefCheck(q, q + bytesleft) == -1) {
                    cli_dbgmsg("cli_pdf: did not find valid xref\n");
                    pdf.flags |= 1 << BAD_PDF_TRAILER;
                }
            }
        }
    }

    size -= offset;
    pdf.size = size;
    pdf.map  = fmap_need_off(map, offset, size);
    if (!pdf.map) {
        cli_errmsg("cli_pdf: mmap() failed (3)\n");

        rc = CL_EMAP;
        goto done;
    }

    pdf.startoff = offset;

    rc = run_pdf_hooks(&pdf, PDF_PHASE_PRE, -1, NULL);
    if (CL_SUCCESS != rc) {
        cli_dbgmsg("cli_pdf: (pre hooks) returning %d\n", rc);

        rc = rc == CL_BREAK ? CL_CLEAN : rc;
        goto done;
    }

    /*
     * Find and extract all objects in the PDF.
     * This methodology adds objects from object streams.
     */
    objs_found = pdf.nobjs;
    rc         = pdf_find_and_extract_objs(&pdf);

    if (CL_EMEM == rc) {
        cli_dbgmsg("cli_pdf: pdf_find_and_extract_objs had an allocation failure\n");
        goto err;
    } else if (pdf.nobjs <= objs_found) {
        cli_dbgmsg("cli_pdf: pdf_find_and_extract_objs did not find any new objects!\n");
    } else {
        cli_dbgmsg("cli_pdf: pdf_find_and_extract_objs found %d new objects.\n", pdf.nobjs - objs_found);
    }

    if (pdf.flags & (1 << ENCRYPTED_PDF))
        pdf.flags &= ~((1 << BAD_FLATESTART) | (1 << BAD_STREAMSTART) | (1 << BAD_ASCIIDECODE));

    if (pdf.flags && CL_SUCCESS == rc) {
        cli_dbgmsg("cli_pdf: flags 0x%02x\n", pdf.flags);
        rc = run_pdf_hooks(&pdf, PDF_PHASE_END, -1, NULL);

        if (CL_SUCCESS == rc && SCAN_HEURISTICS && (ctx->dconf->other & OTHER_CONF_PDFNAMEOBJ)) {
            if (pdf.flags & (1 << ESCAPED_COMMON_PDFNAME)) {
                /* for example /Fl#61te#44#65#63#6f#64#65 instead of /FlateDecode */
                rc = cli_append_potentially_unwanted(ctx, "Heuristics.PDF.ObfuscatedNameObject");
            }
        }
#if 0
    /* TODO: find both trailers, and /Encrypt settings */
    if (pdf.flags & (1 << LINEARIZED_PDF))
        pdf.flags &= ~ (1 << BAD_ASCIIDECODE);
    if (pdf.flags & (1 << MANY_FILTERS))
        pdf.flags &= ~ (1 << BAD_ASCIIDECODE);
    if (CL_SUCCESS == rc && (pdf.flags &
        ((1 << BAD_PDF_TOOMANYOBJS) | (1 << BAD_STREAM_FILTERS) |
         (1<<BAD_FLATE) | (1<<BAD_ASCIIDECODE)|
             (1<<UNTERMINATED_OBJ_DICT) | (1<<UNKNOWN_FILTER)))) {
        rc = CL_EUNPACK;
    }
#endif
    }

done:
    if (CL_SUCCESS == rc && pdf.stats.ninvalidobjs > 0) {
        rc = CL_EFORMAT;
    }

err:

    pdf_export_json(&pdf);

    if (pdf.objstms) {
        for (i = 0; i < pdf.nobjstms; i++) {
            if (pdf.objstms[i]) {
                if (pdf.objstms[i]->streambuf) {
                    free(pdf.objstms[i]->streambuf);
                    pdf.objstms[i]->streambuf = NULL;
                }
                free(pdf.objstms[i]);
                pdf.objstms[i] = NULL;
            }
        }
        free(pdf.objstms);
        pdf.objstms = NULL;
    }

    if (NULL != pdf.objs) {
        for (i = 0; i < pdf.nobjs; i++) {
            if (NULL != pdf.objs[i]) {
                if (NULL != pdf.objs[i]->path) {
                    free(pdf.objs[i]->path);
                    pdf.objs[i]->path = NULL;
                }
                free(pdf.objs[i]);
                pdf.objs[i] = NULL;
            }
        }
        free(pdf.objs);
        pdf.objs = NULL;
    }
    if (pdf.fileID) {
        free(pdf.fileID);
        pdf.fileID = NULL;
    }
    if (pdf.key) {
        free(pdf.key);
        pdf.key = NULL;
    }

    /* PDF hooks may abort, don't return CL_BREAK to caller! */
    rc = (rc == CL_BREAK) ? CL_CLEAN : rc;

    cli_dbgmsg("cli_pdf: returning %d\n", rc);
    return rc;
}

/**
 * @brief   Skip the rest of the current line, and find the start of the next line.
 *
 * @param ptr   Current offset into buffer.
 * @param len   Remaining bytes in buffer.
 *
 * @return const char*  Address of next line, or NULL if no next line in buffer.
 */
static const char *
pdf_nextlinestart(const char *ptr, size_t len)
{
    if (!ptr || (0 == len)) {
        /* Invalid args */
        return NULL;
    }

    while (strchr("\r\n", *ptr) == NULL) {
        if (--len == 0L)
            return NULL;

        ptr++;
    }

    while (strchr("\r\n", *ptr) != NULL) {
        if (--len == 0L)
            return NULL;

        ptr++;
    }

    return ptr;
}

/**
 * @brief   Return the start of the next PDF object.
 *
 * This assumes that we're not in a stream.
 *
 * @param ptr   Current offset into buffer.
 * @param len   Remaining bytes in buffer.
 *
 * @return const char*  Address of next object in the buffer, or NULL if there is none in the buffer.
 */
static const char *
pdf_nextobject(const char *ptr, size_t len)
{
    const char *p;
    int inobject = 1;

    while (len) {
        switch (*ptr) {
            case '\n':
            case '\r':
            case '%': /* comment */
                p = pdf_nextlinestart(ptr, len);
                if (p == NULL)
                    return NULL;

                len -= (size_t)(p - ptr);
                ptr      = p;
                inobject = 0;

                break;
            case ' ':
            case '\t':
            case '[': /* Start of an array object */
            case '\v':
            case '\f':
            case '<': /* Start of a dictionary object */
                inobject = 0;
                ptr++;
                len--;

                break;
            case '/': /* Start of a name object */
                return ptr;
            case '(': /* start of JS */
                return ptr;
            default:
                if (!inobject) {
                    /* TODO: parse and return object type */
                    return ptr;
                }

                ptr++;
                len--;
        }
    }

    return NULL;
}

/* PDF statistics */
static void ASCIIHexDecode_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    UNUSEDPARAM(obj);
    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    pdf->stats.nasciihexdecode++;
}

static void ASCII85Decode_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    UNUSEDPARAM(obj);
    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    pdf->stats.nascii85decode++;
}

static void EmbeddedFile_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    UNUSEDPARAM(obj);
    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    pdf->stats.nembeddedfile++;
}

static void FlateDecode_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    UNUSEDPARAM(obj);
    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    pdf->stats.nflate++;
}

static void Image_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    UNUSEDPARAM(obj);
    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    pdf->stats.nimage++;
}

static void LZWDecode_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    UNUSEDPARAM(obj);
    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    pdf->stats.nlzw++;
}

static void RunLengthDecode_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    UNUSEDPARAM(obj);
    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    pdf->stats.nrunlengthdecode++;
}

static void CCITTFaxDecode_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    UNUSEDPARAM(obj);
    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    pdf->stats.nfaxdecode++;
}

static void JBIG2Decode_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    cli_ctx *ctx = NULL;
    struct json_object *pdfobj, *jbig2arr;

    UNUSEDPARAM(obj);
    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    ctx = pdf->ctx;

    if (!(SCAN_COLLECT_METADATA))
        return;

    if (!(pdf->ctx->this_layer_metadata_json))
        return;

    pdfobj = cli_jsonobj(pdf->ctx->this_layer_metadata_json, "PDFStats");
    if (!(pdfobj))
        return;

    jbig2arr = cli_jsonarray(pdfobj, "JBIG2Objects");
    if (!(jbig2arr))
        return;

    cli_jsonint_array(jbig2arr, obj->id >> 8);

    pdf->stats.njbig2decode++;
}

static void DCTDecode_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    UNUSEDPARAM(obj);
    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    pdf->stats.ndctdecode++;
}

static void JPXDecode_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    UNUSEDPARAM(obj);
    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    pdf->stats.njpxdecode++;
}

static void Crypt_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    UNUSEDPARAM(obj);
    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    pdf->stats.ncrypt++;
}

static void Standard_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    UNUSEDPARAM(obj);
    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    pdf->stats.nstandard++;
}

static void Sig_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    UNUSEDPARAM(obj);
    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    pdf->stats.nsigned++;
}

static void JavaScript_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    UNUSEDPARAM(pdf);
    UNUSEDPARAM(obj);
    UNUSEDPARAM(act);

    /*
     * Don't record the pdf->stats or JSON now, we'll look for the actual
     * Javascript in the object when we extract it later. This is to prevent
     * false positives when objects reference an indirect object which doesn't
     * actually have any content.
     */
}

static void OpenAction_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    UNUSEDPARAM(obj);
    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    pdf->stats.nopenaction++;
}

static void Launch_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    UNUSEDPARAM(obj);
    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    pdf->stats.nlaunch++;
}

static void Page_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    UNUSEDPARAM(obj);
    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    pdf->stats.npage++;
}

static void Author_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    cli_ctx *ctx = NULL;

    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    ctx = pdf->ctx;

    if (!(SCAN_COLLECT_METADATA))
        return;

    if (!(pdf->stats.author)) {
        const char *objstart = (obj->objstm) ? (const char *)(obj->start + obj->objstm->streambuf)
                                             : (const char *)(obj->start + pdf->map);

        pdf->stats.author = calloc(1, sizeof(struct pdf_stats_entry));
        if (!(pdf->stats.author))
            return;

        pdf->parse_recursion_depth++;
        pdf->stats.author->data = pdf_parse_string(pdf, obj, objstart, obj->size, "/Author", NULL, &(pdf->stats.author->meta));
        pdf->parse_recursion_depth--;
    }
}

static void Creator_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    cli_ctx *ctx = NULL;

    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    ctx = pdf->ctx;

    if (!(SCAN_COLLECT_METADATA))
        return;

    if (!(pdf->stats.creator)) {
        const char *objstart = (obj->objstm) ? (const char *)(obj->start + obj->objstm->streambuf)
                                             : (const char *)(obj->start + pdf->map);

        pdf->stats.creator = calloc(1, sizeof(struct pdf_stats_entry));
        if (!(pdf->stats.creator))
            return;

        pdf->parse_recursion_depth++;
        pdf->stats.creator->data = pdf_parse_string(pdf, obj, objstart, obj->size, "/Creator", NULL, &(pdf->stats.creator->meta));
        pdf->parse_recursion_depth--;
    }
}

static void ModificationDate_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    cli_ctx *ctx = NULL;

    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    ctx = pdf->ctx;

    if (!(SCAN_COLLECT_METADATA))
        return;

    if (!(pdf->stats.modificationdate)) {
        const char *objstart = (obj->objstm) ? (const char *)(obj->start + obj->objstm->streambuf)
                                             : (const char *)(obj->start + pdf->map);

        pdf->stats.modificationdate = calloc(1, sizeof(struct pdf_stats_entry));
        if (!(pdf->stats.modificationdate))
            return;

        pdf->parse_recursion_depth++;
        pdf->stats.modificationdate->data = pdf_parse_string(pdf, obj, objstart, obj->size, "/ModDate", NULL, &(pdf->stats.modificationdate->meta));
        pdf->parse_recursion_depth--;
    }
}

static void CreationDate_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    cli_ctx *ctx = NULL;

    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    ctx = pdf->ctx;

    if (!(SCAN_COLLECT_METADATA))
        return;

    if (!(pdf->stats.creationdate)) {
        const char *objstart = (obj->objstm) ? (const char *)(obj->start + obj->objstm->streambuf)
                                             : (const char *)(obj->start + pdf->map);

        pdf->stats.creationdate = calloc(1, sizeof(struct pdf_stats_entry));
        if (!(pdf->stats.creationdate))
            return;

        pdf->parse_recursion_depth++;
        pdf->stats.creationdate->data = pdf_parse_string(pdf, obj, objstart, obj->size, "/CreationDate", NULL, &(pdf->stats.creationdate->meta));
        pdf->parse_recursion_depth--;
    }
}

static void Producer_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    cli_ctx *ctx = NULL;

    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    ctx = pdf->ctx;

    if (!(SCAN_COLLECT_METADATA))
        return;

    if (!(pdf->stats.producer)) {
        const char *objstart = (obj->objstm) ? (const char *)(obj->start + obj->objstm->streambuf)
                                             : (const char *)(obj->start + pdf->map);

        pdf->stats.producer = calloc(1, sizeof(struct pdf_stats_entry));
        if (!(pdf->stats.producer))
            return;

        pdf->parse_recursion_depth++;
        pdf->stats.producer->data = pdf_parse_string(pdf, obj, objstart, obj->size, "/Producer", NULL, &(pdf->stats.producer->meta));
        pdf->parse_recursion_depth--;
    }
}

static void Title_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    cli_ctx *ctx = NULL;

    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    ctx = pdf->ctx;

    if (!(SCAN_COLLECT_METADATA))
        return;

    if (!(pdf->stats.title)) {
        const char *objstart = (obj->objstm) ? (const char *)(obj->start + obj->objstm->streambuf)
                                             : (const char *)(obj->start + pdf->map);

        pdf->stats.title = calloc(1, sizeof(struct pdf_stats_entry));
        if (!(pdf->stats.title))
            return;

        pdf->parse_recursion_depth++;
        pdf->stats.title->data = pdf_parse_string(pdf, obj, objstart, obj->size, "/Title", NULL, &(pdf->stats.title->meta));
        pdf->parse_recursion_depth--;
    }
}

static void Keywords_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    cli_ctx *ctx = NULL;

    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    ctx = pdf->ctx;

    if (!(SCAN_COLLECT_METADATA))
        return;

    if (!(pdf->stats.keywords)) {
        const char *objstart = (obj->objstm) ? (const char *)(obj->start + obj->objstm->streambuf)
                                             : (const char *)(obj->start + pdf->map);

        pdf->stats.keywords = calloc(1, sizeof(struct pdf_stats_entry));
        if (!(pdf->stats.keywords))
            return;

        pdf->parse_recursion_depth++;
        pdf->stats.keywords->data = pdf_parse_string(pdf, obj, objstart, obj->size, "/Keywords", NULL, &(pdf->stats.keywords->meta));
        pdf->parse_recursion_depth--;
    }
}

static void Subject_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    cli_ctx *ctx = NULL;

    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    ctx = pdf->ctx;

    if (!(SCAN_COLLECT_METADATA))
        return;

    if (!(pdf->stats.subject)) {
        const char *objstart = (obj->objstm) ? (const char *)(obj->start + obj->objstm->streambuf)
                                             : (const char *)(obj->start + pdf->map);

        pdf->stats.subject = calloc(1, sizeof(struct pdf_stats_entry));
        if (!(pdf->stats.subject))
            return;

        pdf->parse_recursion_depth++;
        pdf->stats.subject->data = pdf_parse_string(pdf, obj, objstart, obj->size, "/Subject", NULL, &(pdf->stats.subject->meta));
        pdf->parse_recursion_depth--;
    }
}

static void RichMedia_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    UNUSEDPARAM(obj);
    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    pdf->stats.nrichmedia++;
}

static void AcroForm_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    UNUSEDPARAM(obj);
    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    pdf->stats.nacroform++;
}

static void XFA_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    UNUSEDPARAM(obj);
    UNUSEDPARAM(act);

    if (NULL == pdf)
        return;

    pdf->stats.nxfa++;
}

static void Pages_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    cli_ctx *ctx = NULL;
    struct pdf_array *array;
    const char *objstart = (obj->objstm) ? (const char *)(obj->start + obj->objstm->streambuf)
                                         : (const char *)(obj->start + pdf->map);
    const char *begin;
    unsigned long npages = 0, count;
    long temp_long;
    struct pdf_array_node *node;
    json_object *pdfobj;
    size_t countsize = 0;

    UNUSEDPARAM(act);

    if (!(pdf) || !(pdf->ctx->this_layer_metadata_json))
        return;

    ctx = pdf->ctx;

    if (!(SCAN_COLLECT_METADATA))
        return;

    pdfobj = cli_jsonobj(pdf->ctx->this_layer_metadata_json, "PDFStats");
    if (!(pdfobj))
        return;

    begin = cli_memstr(objstart, obj->size, "/Kids", 5);
    if (!(begin))
        return;

    begin += 5;

    pdf->parse_recursion_depth++;
    array = pdf_parse_array(pdf, obj, obj->size, (char *)begin, NULL);
    pdf->parse_recursion_depth--;

    if (!(array)) {
        cli_jsonbool(pdfobj, "IncorrectPagesCount", 1);
        return;
    }

    for (node = array->nodes; node != NULL; node = node->next)
        if (node->datasz)
            if (strchr((char *)(node->data), 'R'))
                npages++;

    begin = cli_memstr(objstart, obj->size, "/Count", 6);
    if (!(begin)) {
        cli_jsonbool(pdfobj, "IncorrectPagesCount", 1);
        goto cleanup;
    }

    begin += 6;
    while (((size_t)(begin - objstart) < obj->size) && isspace(begin[0]))
        begin++;

    if ((size_t)(begin - objstart) >= obj->size) {
        goto cleanup;
    }

    countsize = (obj->objstm) ? (size_t)(obj->start + obj->objstm->streambuf + obj->size - begin)
                              : (size_t)(obj->start + pdf->map + obj->size - begin);

    if (CL_SUCCESS != cli_strntol_wrap(begin, countsize, 0, 10, &temp_long)) {
        cli_jsonbool(pdfobj, "IncorrectPagesCount", 1);
    } else if (temp_long < 0) {
        cli_jsonbool(pdfobj, "IncorrectPagesCount", 1);
    } else {
        count = (unsigned long)temp_long;
        if (count != npages) {
            cli_jsonbool(pdfobj, "IncorrectPagesCount", 1);
        }
    }

cleanup:
    pdf_free_array(array);
}

static void Colors_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    cli_ctx *ctx = NULL;
    json_object *colorsobj, *pdfobj;
    unsigned long ncolors;
    long temp_long;
    char *p1;
    const char *objstart = (obj->objstm) ? (const char *)(obj->start + obj->objstm->streambuf)
                                         : (const char *)(obj->start + pdf->map);

    UNUSEDPARAM(act);

    if (!(pdf) || !(pdf->ctx) || !(pdf->ctx->this_layer_metadata_json))
        return;

    ctx = pdf->ctx;

    if (!(SCAN_COLLECT_METADATA))
        return;

    p1 = (char *)cli_memstr(objstart, obj->size, "/Colors", 7);
    if (!(p1))
        return;

    p1 += 7;

    /* Ensure that we have at least one whitespace character plus at least one number */
    if (obj->size - (size_t)(p1 - objstart) < 2)
        return;

    while (((size_t)(p1 - objstart) < obj->size) && isspace(p1[0]))
        p1++;

    if ((size_t)(p1 - objstart) == obj->size)
        return;

    if (CL_SUCCESS != cli_strntol_wrap(p1, (size_t)((p1 - objstart) - obj->size), 0, 10, &temp_long)) {
        return;
    } else if (temp_long < 0) {
        return;
    }
    ncolors = (unsigned long)temp_long;

    /* We only care if the number of colors > 2**24 */
    if (ncolors < 1 << 24)
        return;

    pdfobj = cli_jsonobj(pdf->ctx->this_layer_metadata_json, "PDFStats");
    if (!(pdfobj))
        return;

    colorsobj = cli_jsonarray(pdfobj, "BigColors");
    if (!(colorsobj))
        return;

    cli_jsonint_array(colorsobj, obj->id >> 8);
}

static void URI_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_action *act)
{
    cli_ctx *ctx         = NULL;
    off_t bytesleft      = 0;
    char *uri_start      = NULL;
    char *uri_heap       = NULL;
    const char *objstart = NULL;
    json_object *uriarr  = NULL;

    UNUSEDPARAM(act);

    if (!(pdf) || !(pdf->ctx) || !(pdf->ctx->this_layer_metadata_json) || !obj) {
        return;
    }

    objstart = (obj->objstm) ? (const char *)(obj->start + obj->objstm->streambuf)
                             : (const char *)(obj->start + pdf->map);
    ctx      = pdf->ctx;

    if (!(SCAN_COLLECT_METADATA) || !(SCAN_STORE_PDF_URIS)) {
        return;
    }

    if (obj->size == 0) {
        return;
    }

    if (obj->objstm) {
        bytesleft = MIN(obj->size, obj->objstm->streambuf_len - obj->start);
    } else {
        bytesleft = MIN(obj->size, pdf->size - obj->start);
    }

    // Advance forward to the first '(' character
    size_t start = 0;
    while (bytesleft > 0 && objstart[start] != '(') {
        start++;
        bytesleft--;
    }
    if (bytesleft == 0) {
        return;
    }
    // The first character past '(' is the start of the URI
    uri_start = (char *)(objstart + start + 1);
    bytesleft--;

    // Advance forward to the first ')' character
    size_t end = 0;
    while (bytesleft > 0 && uri_start[end] != ')') {
        end++;
        bytesleft--;
    }
    if (uri_start[end] != ')') {
        return;
    }

    // Create a new string containing only the URI
    CLI_MAX_MALLOC_OR_GOTO_DONE(uri_heap, end + 1,
                                cli_errmsg("cli_pdf: malloc() failed (URI)\n"));
    strncpy(uri_heap, uri_start, end);
    uri_heap[end] = '\0';

    uriarr = cli_jsonarray(pdf->ctx->this_layer_metadata_json, "URIs");
    if (!uriarr) {
        cli_errmsg("cli_pdf: malloc() failed (URI array)\n");
        goto done;
    }
    cli_jsonstr(uriarr, NULL, uri_heap);
done:
    free(uri_heap);
}

static void pdf_free_stats(struct pdf_struct *pdf)
{

    if (!pdf) {
        return;
    }

    if ((pdf->stats.author)) {
        if (pdf->stats.author->data)
            free(pdf->stats.author->data);
        free(pdf->stats.author);
        pdf->stats.author = NULL;
    }

    if (pdf->stats.creator) {
        if (pdf->stats.creator->data)
            free(pdf->stats.creator->data);
        free(pdf->stats.creator);
        pdf->stats.creator = NULL;
    }

    if (pdf->stats.producer) {
        if (pdf->stats.producer->data)
            free(pdf->stats.producer->data);
        free(pdf->stats.producer);
        pdf->stats.producer = NULL;
    }

    if (pdf->stats.modificationdate) {
        if (pdf->stats.modificationdate->data)
            free(pdf->stats.modificationdate->data);
        free(pdf->stats.modificationdate);
        pdf->stats.modificationdate = NULL;
    }

    if (pdf->stats.creationdate) {
        if (pdf->stats.creationdate->data)
            free(pdf->stats.creationdate->data);
        free(pdf->stats.creationdate);
        pdf->stats.creationdate = NULL;
    }

    if (pdf->stats.title) {
        if (pdf->stats.title->data)
            free(pdf->stats.title->data);
        free(pdf->stats.title);
        pdf->stats.title = NULL;
    }

    if (pdf->stats.subject) {
        if (pdf->stats.subject->data)
            free(pdf->stats.subject->data);
        free(pdf->stats.subject);
        pdf->stats.subject = NULL;
    }

    if (pdf->stats.keywords) {
        if (pdf->stats.keywords->data)
            free(pdf->stats.keywords->data);
        free(pdf->stats.keywords);
        pdf->stats.keywords = NULL;
    }
}

static void pdf_export_json(struct pdf_struct *pdf)
{
    cli_ctx *ctx = NULL;
    json_object *pdfobj;
    unsigned long i;

    if (NULL == pdf)
        return;

    if (!(pdf->ctx)) {
        goto cleanup;
    }

    ctx = pdf->ctx;

    if (!(SCAN_COLLECT_METADATA) || !(pdf->ctx->this_layer_metadata_json)) {
        goto cleanup;
    }

    pdfobj = cli_jsonobj(pdf->ctx->this_layer_metadata_json, "PDFStats");
    if (!(pdfobj)) {
        goto cleanup;
    }

    if (pdf->stats.author) {
        if (!pdf->stats.author->meta.success) {
            char *out = pdf_finalize_string(pdf, pdf->stats.author->meta.obj, pdf->stats.author->data, pdf->stats.author->meta.length);
            if (out) {
                free(pdf->stats.author->data);
                pdf->stats.author->data         = out;
                pdf->stats.author->meta.length  = strlen(out);
                pdf->stats.author->meta.success = 1;
            }
        }

        if (pdf->stats.author->meta.success && cli_isutf8(pdf->stats.author->data, pdf->stats.author->meta.length)) {
            cli_jsonstr(pdfobj, "Author", pdf->stats.author->data);
        } else if (pdf->stats.author->data && pdf->stats.author->meta.length) {
            char *b64 = cl_base64_encode(pdf->stats.author->data, pdf->stats.author->meta.length);
            cli_jsonstr(pdfobj, "Author", b64);
            cli_jsonbool(pdfobj, "Author_base64", 1);
            free(b64);
        } else {
            cli_jsonstr(pdfobj, "Author", "");
        }
    }
    if (pdf->stats.creator) {
        if (!pdf->stats.creator->meta.success) {
            char *out = pdf_finalize_string(pdf, pdf->stats.creator->meta.obj, pdf->stats.creator->data, pdf->stats.creator->meta.length);
            if (out) {
                free(pdf->stats.creator->data);
                pdf->stats.creator->data         = out;
                pdf->stats.creator->meta.length  = strlen(out);
                pdf->stats.creator->meta.success = 1;
            }
        }

        if (pdf->stats.creator->meta.success && cli_isutf8(pdf->stats.creator->data, pdf->stats.creator->meta.length)) {
            cli_jsonstr(pdfobj, "Creator", pdf->stats.creator->data);
        } else if (pdf->stats.creator->data && pdf->stats.creator->meta.length) {
            char *b64 = cl_base64_encode(pdf->stats.creator->data, pdf->stats.creator->meta.length);
            cli_jsonstr(pdfobj, "Creator", b64);
            cli_jsonbool(pdfobj, "Creator_base64", 1);
            free(b64);
        } else {
            cli_jsonstr(pdfobj, "Creator", "");
        }
    }
    if (pdf->stats.producer) {
        if (!pdf->stats.producer->meta.success) {
            char *out = pdf_finalize_string(pdf, pdf->stats.producer->meta.obj, pdf->stats.producer->data, pdf->stats.producer->meta.length);
            if (out) {
                free(pdf->stats.producer->data);
                pdf->stats.producer->data         = out;
                pdf->stats.producer->meta.length  = strlen(out);
                pdf->stats.producer->meta.success = 1;
            }
        }

        if (pdf->stats.producer->meta.success && cli_isutf8(pdf->stats.producer->data, pdf->stats.producer->meta.length)) {
            cli_jsonstr(pdfobj, "Producer", pdf->stats.producer->data);
        } else if (pdf->stats.producer->data && pdf->stats.producer->meta.length) {
            char *b64 = cl_base64_encode(pdf->stats.producer->data, pdf->stats.producer->meta.length);
            cli_jsonstr(pdfobj, "Producer", b64);
            cli_jsonbool(pdfobj, "Producer_base64", 1);
            free(b64);
        } else {
            cli_jsonstr(pdfobj, "Producer", "");
        }
    }
    if (pdf->stats.modificationdate) {
        if (!pdf->stats.modificationdate->meta.success) {
            char *out = pdf_finalize_string(pdf, pdf->stats.modificationdate->meta.obj, pdf->stats.modificationdate->data, pdf->stats.modificationdate->meta.length);
            if (out) {
                free(pdf->stats.modificationdate->data);
                pdf->stats.modificationdate->data         = out;
                pdf->stats.modificationdate->meta.length  = strlen(out);
                pdf->stats.modificationdate->meta.success = 1;
            }
        }

        if (pdf->stats.modificationdate->meta.success && cli_isutf8(pdf->stats.modificationdate->data, pdf->stats.modificationdate->meta.length)) {
            cli_jsonstr(pdfobj, "ModificationDate", pdf->stats.modificationdate->data);
        } else if (pdf->stats.modificationdate->data && pdf->stats.modificationdate->meta.length) {
            char *b64 = cl_base64_encode(pdf->stats.modificationdate->data, pdf->stats.modificationdate->meta.length);
            cli_jsonstr(pdfobj, "ModificationDate", b64);
            cli_jsonbool(pdfobj, "ModificationDate_base64", 1);
            free(b64);
        } else {
            cli_jsonstr(pdfobj, "ModificationDate", "");
        }
    }
    if (pdf->stats.creationdate) {
        if (!pdf->stats.creationdate->meta.success) {
            char *out = pdf_finalize_string(pdf, pdf->stats.creationdate->meta.obj, pdf->stats.creationdate->data, pdf->stats.creationdate->meta.length);
            if (out) {
                free(pdf->stats.creationdate->data);
                pdf->stats.creationdate->data         = out;
                pdf->stats.creationdate->meta.length  = strlen(out);
                pdf->stats.creationdate->meta.success = 1;
            }
        }

        if (pdf->stats.creationdate->meta.success && cli_isutf8(pdf->stats.creationdate->data, pdf->stats.creationdate->meta.length)) {
            cli_jsonstr(pdfobj, "CreationDate", pdf->stats.creationdate->data);
        } else if (pdf->stats.creationdate->data && pdf->stats.creationdate->meta.length) {
            char *b64 = cl_base64_encode(pdf->stats.creationdate->data, pdf->stats.creationdate->meta.length);
            cli_jsonstr(pdfobj, "CreationDate", b64);
            cli_jsonbool(pdfobj, "CreationDate_base64", 1);
            free(b64);
        } else {
            cli_jsonstr(pdfobj, "CreationDate", "");
        }
    }
    if (pdf->stats.title) {
        if (!pdf->stats.title->meta.success) {
            char *out = pdf_finalize_string(pdf, pdf->stats.title->meta.obj, pdf->stats.title->data, pdf->stats.title->meta.length);
            if (out) {
                free(pdf->stats.title->data);
                pdf->stats.title->data         = out;
                pdf->stats.title->meta.length  = strlen(out);
                pdf->stats.title->meta.success = 1;
            }
        }

        if (pdf->stats.title->meta.success && cli_isutf8(pdf->stats.title->data, pdf->stats.title->meta.length)) {
            cli_jsonstr(pdfobj, "Title", pdf->stats.title->data);
        } else if (pdf->stats.title->data && pdf->stats.title->meta.length) {
            char *b64 = cl_base64_encode(pdf->stats.title->data, pdf->stats.title->meta.length);
            cli_jsonstr(pdfobj, "Title", b64);
            cli_jsonbool(pdfobj, "Title_base64", 1);
            free(b64);
        } else {
            cli_jsonstr(pdfobj, "Title", "");
        }
    }
    if (pdf->stats.subject) {
        if (!pdf->stats.subject->meta.success) {
            char *out = pdf_finalize_string(pdf, pdf->stats.subject->meta.obj, pdf->stats.subject->data, pdf->stats.subject->meta.length);
            if (out) {
                free(pdf->stats.subject->data);
                pdf->stats.subject->data         = out;
                pdf->stats.subject->meta.length  = strlen(out);
                pdf->stats.subject->meta.success = 1;
            }
        }

        if (pdf->stats.subject->meta.success && cli_isutf8(pdf->stats.subject->data, pdf->stats.subject->meta.length)) {
            cli_jsonstr(pdfobj, "Subject", pdf->stats.subject->data);
        } else if (pdf->stats.subject->data && pdf->stats.subject->meta.length) {
            char *b64 = cl_base64_encode(pdf->stats.subject->data, pdf->stats.subject->meta.length);
            cli_jsonstr(pdfobj, "Subject", b64);
            cli_jsonbool(pdfobj, "Subject_base64", 1);
            free(b64);
        } else {
            cli_jsonstr(pdfobj, "Subject", "");
        }
    }
    if (pdf->stats.keywords) {
        if (!pdf->stats.keywords->meta.success) {
            char *out = pdf_finalize_string(pdf, pdf->stats.keywords->meta.obj, pdf->stats.keywords->data, pdf->stats.keywords->meta.length);
            if (out) {
                free(pdf->stats.keywords->data);
                pdf->stats.keywords->data         = out;
                pdf->stats.keywords->meta.length  = strlen(out);
                pdf->stats.keywords->meta.success = 1;
            }
        }

        if (pdf->stats.keywords->meta.success && cli_isutf8(pdf->stats.keywords->data, pdf->stats.keywords->meta.length)) {
            cli_jsonstr(pdfobj, "Keywords", pdf->stats.keywords->data);
        } else if (pdf->stats.keywords->data && pdf->stats.keywords->meta.length) {
            char *b64 = cl_base64_encode(pdf->stats.keywords->data, pdf->stats.keywords->meta.length);
            cli_jsonstr(pdfobj, "Keywords", b64);
            cli_jsonbool(pdfobj, "Keywords_base64", 1);
            free(b64);
        } else {
            cli_jsonstr(pdfobj, "Keywords", "");
        }
    }
    if (pdf->stats.ninvalidobjs)
        cli_jsonint(pdfobj, "InvalidObjectCount", pdf->stats.ninvalidobjs);
    if (pdf->stats.njs)
        cli_jsonint(pdfobj, "JavaScriptObjectCount", pdf->stats.njs);
    if (pdf->stats.nflate)
        cli_jsonint(pdfobj, "DeflateObjectCount", pdf->stats.nflate);
    if (pdf->stats.nactivex)
        cli_jsonint(pdfobj, "ActiveXObjectCount", pdf->stats.nactivex);
    if (pdf->stats.nflash)
        cli_jsonint(pdfobj, "FlashObjectCount", pdf->stats.nflash);
    if (pdf->stats.ncolors)
        cli_jsonint(pdfobj, "ColorCount", pdf->stats.ncolors);
    if (pdf->stats.nasciihexdecode)
        cli_jsonint(pdfobj, "AsciiHexDecodeObjectCount", pdf->stats.nasciihexdecode);
    if (pdf->stats.nascii85decode)
        cli_jsonint(pdfobj, "Ascii85DecodeObjectCount", pdf->stats.nascii85decode);
    if (pdf->stats.nembeddedfile)
        cli_jsonint(pdfobj, "EmbeddedFileCount", pdf->stats.nembeddedfile);
    if (pdf->stats.nimage)
        cli_jsonint(pdfobj, "ImageCount", pdf->stats.nimage);
    if (pdf->stats.nlzw)
        cli_jsonint(pdfobj, "LZWCount", pdf->stats.nlzw);
    if (pdf->stats.nrunlengthdecode)
        cli_jsonint(pdfobj, "RunLengthDecodeCount", pdf->stats.nrunlengthdecode);
    if (pdf->stats.nfaxdecode)
        cli_jsonint(pdfobj, "FaxDecodeCount", pdf->stats.nfaxdecode);
    if (pdf->stats.njbig2decode)
        cli_jsonint(pdfobj, "JBIG2DecodeCount", pdf->stats.njbig2decode);
    if (pdf->stats.ndctdecode)
        cli_jsonint(pdfobj, "DCTDecodeCount", pdf->stats.ndctdecode);
    if (pdf->stats.njpxdecode)
        cli_jsonint(pdfobj, "JPXDecodeCount", pdf->stats.njpxdecode);
    if (pdf->stats.ncrypt)
        cli_jsonint(pdfobj, "CryptCount", pdf->stats.ncrypt);
    if (pdf->stats.nstandard)
        cli_jsonint(pdfobj, "StandardCount", pdf->stats.nstandard);
    if (pdf->stats.nsigned)
        cli_jsonint(pdfobj, "SignedCount", pdf->stats.nsigned);
    if (pdf->stats.nopenaction)
        cli_jsonint(pdfobj, "OpenActionCount", pdf->stats.nopenaction);
    if (pdf->stats.nlaunch)
        cli_jsonint(pdfobj, "LaunchCount", pdf->stats.nlaunch);
    if (pdf->stats.npage)
        cli_jsonint(pdfobj, "PageCount", pdf->stats.npage);
    if (pdf->stats.nrichmedia)
        cli_jsonint(pdfobj, "RichMediaCount", pdf->stats.nrichmedia);
    if (pdf->stats.nacroform)
        cli_jsonint(pdfobj, "AcroFormCount", pdf->stats.nacroform);
    if (pdf->stats.nxfa)
        cli_jsonint(pdfobj, "XFACount", pdf->stats.nxfa);
    if (pdf->flags & (1 << BAD_PDF_VERSION))
        cli_jsonbool(pdfobj, "BadVersion", 1);
    if (pdf->flags & (1 << BAD_PDF_HEADERPOS))
        cli_jsonbool(pdfobj, "BadHeaderPosition", 1);
    if (pdf->flags & (1 << BAD_PDF_TRAILER))
        cli_jsonbool(pdfobj, "BadTrailer", 1);
    if (pdf->flags & (1 << BAD_PDF_TOOMANYOBJS))
        cli_jsonbool(pdfobj, "TooManyObjects", 1);
    if (pdf->flags & (1 << ENCRYPTED_PDF)) {
        cli_jsonbool(pdfobj, "Encrypted", 1);
        if (pdf->flags & (1 << DECRYPTABLE_PDF))
            cli_jsonbool(pdfobj, "Decryptable", 1);
        else
            cli_jsonbool(pdfobj, "Decryptable", 0);
    }

    for (i = 0; i < pdf->nobjs; i++) {
        if (pdf->objs[i]->flags & (1 << OBJ_TRUNCATED)) {
            json_object *truncobj;

            truncobj = cli_jsonarray(pdfobj, "TruncatedObjects");
            if (!(truncobj))
                continue;

            cli_jsonint_array(truncobj, pdf->objs[i]->id >> 8);
        }
    }

cleanup:
    pdf_free_stats(pdf);
}
